This module targets ZDI-20-704 (aka CVE-2020-10924), a buffer overflow vulnerability in the UPNP daemon (/usr/sbin/upnpd),
on Netgear R6700v3 routers running firmware versions from V1.0.2.62 up to but not including V1.0.4.94, to reset
the password for the 'admin' user back to its factory default of 'password'. Authentication is bypassed by
using ZDI-20-703 (aka CVE-2020-10923), an authentication bypass that occurs when network adjacent
computers send SOAPAction UPnP messages to a vulnerable Netgear R6700v3 router. Currently this module only
supports exploiting Netgear R6700v3 routers running either the V1.0.0.4.82_10.0.57 or V1.0.0.4.84_10.0.58
firmware, however support for other firmware versions may be added in the future.
Once the password has been reset, attackers can use the exploit/linux/telnet/netgear_telnetenable module to send a
special packet to port 23/udp of the router to enable a telnet server on port 23/tcp. The attacker can
then log into this telnet server using the new password, and obtain a shell as the "root" user.
These last two steps have to be done manually, as the authors did not reverse the communication with the web interface.
It should be noted that successful exploitation will result in the upnpd binary crashing on the target router.
As the upnpd binary will not restart until the router is rebooted, this means that attackers can only exploit
this vulnerability once per reboot of the router.
This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro +
Radek Domanski).
msf > use auxiliary/admin/http/netgear_r6700_pass_reset
msf auxiliary(netgear_r6700_pass_reset) > show actions
...actions...
msf auxiliary(netgear_r6700_pass_reset) > set ACTION < action-name >
msf auxiliary(netgear_r6700_pass_reset) > show options
...show and set options...
msf auxiliary(netgear_r6700_pass_reset) > run
Vulmon