This Metasploit module targets ZDI-20-704 (aka CVE-2020-10924), a buffer overflow vulnerability in the UPNP daemon (/usr/sbin/upnpd), on Netgear R6700v3 routers running firmware versions from V1.0.2.62 up to but not including V1.0.4.94, to reset the password for the admin user back to its factory default of password. Authentication is bypassed by using ZDI-20-703 (aka CVE-2020-10923), an authentication bypass that occurs when network adjacent computers send SOAPAction UPnP messages to a vulnerable Netgear R6700v3 router. Currently this module only supports exploiting Netgear R6700v3 routers running either the V1.0.0.4.82_10.0.57 or V1.0.0.4.84_10.0.58 firmware, however support for other firmware versions may be added in the future. Once the password has been reset, attackers can use the exploit/linux/telnet/netgear_telnetenable module to send a special packet to port 23/udp of the router to enable a telnet server on port 23/tcp. The attacker can then log into this telnet server using the new password, and obtain a shell as the "root" user. These last two steps have to be done manually, as the authors did not reverse the communication with the web interface. It should be noted that successful exploitation will result in the upnpd binary crashing on the target router. As the upnpd binary will not restart until the router is rebooted, this means that attackers can only exploit this vulnerability once per reboot of the router. This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro + Radek Domanski).
9761d8c2da4ee95f5c6b4cfd77d3759b606692ed519993f3da76a637e562671b
This Metasploit module exploits a stack buffer overflow in the Cisco RV series router's SSL VPN functionality. The default SSL VPN configuration is exploitable, with no authentication required and works over the Internet! The stack is executable and no ASLR is in place, which makes exploitation easier. Successful execution of this module results in a reverse root shell. A custom payload is used as Metasploit does not have ARMLE null free shellcode. This vulnerability was presented by the Flashback Team in Pwn2Own Austin 2021 and OffensiveCon 2022. For more information check the referenced advisory. This module has been tested in firmware versions 1.0.03.15 and above and works with around 65% reliability. The service restarts automatically so you can keep trying until you pwn it. Only the RV340 router was tested, but other RV series routers should work out of the box.
619682621429d96cd23a1e1bcd69a008398c5244223265886c52e2e417242d02
This Metasploit module exploits a series of vulnerabilities to achieve unauthenticated remote code execution on the Rockwell FactoryTalk View SE SCADA product as the IIS user. The attack relies on the chaining of five separate vulnerabilities. The first vulnerability is an unauthenticated project copy request, the second is a directory traversal, and the third is a race condition. In order to achieve full remote code execution on all targets, two information leak vulnerabilities are also abused. This exploit was used by the Flashback team (Pedro Ribeiro + Radek Domanski) in Pwn2Own Miami 2020 to win the EWS category.
b5c77494a3939a1827cb333698735a7315890ad559b41cca1a66fcbd96bc0b9e
This Metasploit module exploits a Java deserialization vulnerability in the Inductive Automation Ignition SCADA product, versions 8.0.0 to (and including) 8.0.7. This exploit was tested on versions 8.0.0 and 8.0.7 on both Linux and Windows. The default configuration is exploitable by an unauthenticated attacker, which can achieve remote code execution as SYSTEM on a Windows installation and root on Linux. The vulnerability was discovered and exploited at Pwn2Own Miami 2020 by the Flashback team (Pedro Ribeiro + Radek Domanski).
9d49478c9a416ef64a062b712cd22c68e5b37e2e0f0dbc80fc3655a1c2e3d686
This document describes a stack overflow vulnerability that was found in October, 2019 and presented in the Pwn2Own Mobile 2019 competition in November 2019. The vulnerability is present in the UPNP daemon (/usr/sbin/upnpd), running on NETGEAR R6700v3 router with firmware versions V1.0.4.82_10.0.57 and V1.0.4.84_10.0.58. It allows for an unauthenticated reset of the root password and then spawns a telnetd to remotely access the account.
3ccd57c2afc9c37bec7729262aa2b172845c46c639bdb363b6009f40ca166d05
This Metasploit module exploits a command injection vulnerability in the tdpServer daemon (/usr/bin/tdpServer), running on the router TP-Link Archer A7/C7 (AC1750), hardware version 5, MIPS Architecture, firmware version 190726. The vulnerability can only be exploited by an attacker on the LAN side of the router, but the attacker does not need any authentication to abuse it. After exploitation, an attacker will be able to execute any command as root, including downloading and executing a binary from another host. This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team.
3dee135a8e106fdeab9e4abedc3fa3cc00c9a9cfec03ca0c69bd06e41cc64d93