Access to a router's GUI
The other answers are correct, however there is one big fish being mostly ignored:
DNS cache poisoning
As @Larry said, since you own the router you own the DNS. Meaning you can cause any other user of that network, use any server you want for any address they request.
But more than that:
- You can make leave your DNS ownership in place, even when you're not there anymore other users will continue to use your servers.
- Even after the other users leave, you can still own whatever address they try to access.
To clarify, let's assume some victim at some point uses the coffeeshop to accesshttp://www.google.com/. This should resolve to209.85.143.104. However, because you pwned the router, you're sending anyone who requestshttp://www.google.com/to207.200.14.140. This will continue to happen, even after you go home...
Now, what happens if you set the TTL for the DNS response (the one returning207.200.14.140forhttp://www.google.com/), to some value far in the future? The victim will go home, back to his "secure" network, and at some point will again browse tohttp://www.google.com/. Shouldn't be a problem, right? Well, the TTL caused the DNS response to stay cached on your machine, so your browser now doesnt even bother making another DNS request - it just sticks with the207.200.14.140it got at the coffeeshop. That you gave it. 3 weeks ago.
Just a suggestion? A bit borderline, but since noone at the coffeeshop cares (or probably even knows how to logon to a router what that even is), do them a favor: change the password for them. Write it down for them, hand it to the manager, and if he really needs it, he'll figure out what to do, and maybe even learn a lesson.
Of course, this is borderline ethical, maybe even illegal, so caveat emptor. But other users WILL be grateful (even if they know nothing about it).
Was prompted by conversation with @Iszi on chat to make things much clearer - to just highlight the main increased risks.
An attacker could reroute every request sent by users of the network leading to:
Phishing attack - for example the normal guidance for users is to never click on untrusted links for things like online banking, but to always type in the url for www.examplebank.com. Controlling the router lets an attacker get around that control easily so you could end up at a site which will grab your online banking credentials as you log in.
Malware attack - You can be rerouted to a site which will attempt to download malware onto your computer even though you specified a known good URL
Inline data injection/modification - An attacker could modify any data in transit. This would be hard to do from the perspective of a user of the wireless network, but much more straightforward for an attacker if all data was routed via a server they control
Other attacks based on this Man In the Middle - various other compromises
The internet is your oyster with this one - effectively users would no longer be able to trust any communication through the network! It is almost as good as pwning the users computer.
The other points I mentioned are already possible on wireless networks so I have taken them out.
If you own the router, you own the internet effectively. For example, you can tell the router to use your computer as the DNS server for all the clients on the network - that means you own address resolution for every client on the network.