This Metasploit module exploits a command injection vulnerability on WiFi Pineapples versions 2.0 and below and pineapple versions prior to 2.4. We use a combination of default credentials with a weakness in the anti-csrf generation to achieve command injection on fresh pineapple devices prior to configuration. Additionally if default credentials fail, you can enable a brute force solver for the proof-of-ownership challenge. This will reset the password to a known password if successful and may interrupt the user experience. These devices may typically be identified by their SSID beacons of 'Pineapple5_....'; details derived from the TospoVirus, a WiFi Pineapple infecting worm.
f541430f19dac4f0494fce74a1f639f98b5978e237ef67e38fdf6c2074172475
WiFi Pineapples with firmware versions 2.3.0 and below suffer from using a predictable cross site request forgery token.
d28d69f0685d472bf2f32a107ab1c86929af0af281983fb44aed43ba9dda6a3d