added ZyXEL GS1510-16 Password Extractor

[disenchant]

Here's an auxiliary module which exploits a 0-day in at least ZyXEL GS1510-16 switches (not tested on other models) which allows us to extract the admin password.

[kernelsmith]

MSF doesn't take 0-days unless they were found being exploited in the wild. Please disclose this vuln to the vendor or a third-party bug bounty program such as ZDI. Alternatively, please provide a reference if it fact has been disclosed. Thanks

On Nov 29, 2013, at 3:46, disenchant notifications@github.com wrote:

Here's an auxiliary module which exploits a 0-day in at least ZyXEL GS1510-16 switches (not tested on other models) which allows us to extract the admin password.

You can merge this Pull Request by running

git pull https://github.com/disenchant/metasploit-framework zyxel_admin_password_extractor
Or view, comment on, or merge it at:

#2709

Commit Summary

added ZyXEL GS1510-16 Password Extractor
File Changes

A modules/auxiliary/admin/http/zyxel_admin_password_extractor.rb (68)
Patch Links:

https://github.com/rapid7/metasploit-framework/pull/2709.patch
https://github.com/rapid7/metasploit-framework/pull/2709.diff

[disenchant]

I was informed, that the product is EOL and therefor the vulnerability won't be addressed/fixed by ZyXEL.

[kernelsmith]

Ahh ok, cool. Can u add a ref for that somehow? Does their site say anything about EOL?

-Josh

On Nov 30, 2013, at 11:13, disenchant notifications@github.com wrote:

I was informed, that the product is EOL and therefor the vulnerability won't be addressed/fixed by ZyXEL.

—
Reply to this email directly or view it on GitHub.

[wchen-r7]

I imagine @disenchant was informed via e-mail, typically there's no reference for it unless you write a blog post. If you don't have a writeup, feel free to use this pull request as a reference since you already explained the situation.

Thanks.

[todb-r7]

@kernelsmith wrote:

MSF doesn't take 0-days unless they were found being exploited in the wild. Please disclose this vuln to the vendor or a third-party bug bounty program such as ZDI.

This is incorrect. While we encourage researchers to practice some kind of reasonable disclosure, and will help them through the process that we stick to at Rapid7, if someone wants to disclose zero days in the form of public pull requests, we will certainly take the module. The alternative is that the full disclosure crowd will simply dump their findings to mailing lists, and that's much more of a hassle to monitor.

So, @disenchant, do use a URL reference of https://github.com/rapid7/metasploit-framework/pull/2709 in your module, as @wchen-r7 suggests. Thanks!

[wchen-r7]

I think this is mostly good to go except that:

1. We probably don't have the hardware for testing. @disenchant do you mind providing a pcap to msfdev[at]metasploit.com? That way at least we have some kind of proof it works even though we lack the equipment for testing.
2. It is recommended to store your found password to database by using the report_auth_info() method. Here's how to do that so you can simply copy and paste:

report_auth_info(
    :host   => rhost,
    :port   => rport,
    :sname  => "ZyXEL GS1510-16",
    :user   => 'admin',
    :pass   => admin_password,
    :active => true
)

[wchen-r7]

Hmm, you removed the github reference in the last commit? cb98d68

[wchen-r7]

Thanks. Code looks pretty much good to go. Just need to make sure it works......

[wchen-r7]

Never mind, just got the video. Thanks for the e-mail.

[wchen-r7]

Module merged. Thanks for the PR.

[todb-r7]

The description on this module is less than descriptive. :) Giving it a shot in the pre-release cleanup