metasploit-framework/modules/auxiliary/admin/upnp/soap_portmapping.rb

##
# encoding: utf-8
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'nokogiri'

class Metasploit3 < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize
    super(
      'Name'           => 'UPnP IGD SOAP Port Mapping Utility',
      'Description'    => %q{
        Manage port mappings on UPnP IGD-capable device using the AddPortMapping and
        DeletePortMapping SOAP requests
      },
      'Author'         =>
        [
          'St0rn <fabien[at]anbu-pentest.com>', # initial module
          'Jon Hart <jon_hart[at]rapid7.com>'   # module cleanup and refactoring
        ],
      'License'        => MSF_LICENSE,
      'References'     => [['URL', 'http://www.upnp-hacks.org/igd.html']],
      'DefaultAction'  => 'ADD',
      'Actions'        =>
        [
          [ 'ADD',
            {
              'Description' => 'Use the AddPortMapping SOAP command to open and forward a port',
              'SOAP_ACTION' => 'AddPortMapping'
            }
          ],
          [ 'DELETE',
            {
              'Description' => 'Use the DeletePortMapping SOAP command to remove a port forwarding',
              'SOAP_ACTION' => 'DeletePortMapping'
            }
          ]
        ],
    )

    register_options(
      [
        OptString.new('TARGETURI', [true, 'UPnP control URL', '/' ]),
        OptAddress.new('INTERNAL_CLIENT', [false, 'Internal client hostname/IP']),
        OptAddress.new('EXTERNAL_CLIENT', [false, 'External client hostname/IP']),
        OptEnum.new('PROTOCOL', [true, 'Transport level protocol to map', 'TCP', %w(TCP UDP)]),
        OptInt.new('INTERNAL_PORT', [false, 'Internal port']),
        OptInt.new('EXTERNAL_PORT', [true, 'External port']),
        OptInt.new('LEASE_DURATION', [false, 'Lease time for mapping, in seconds', 3600])
      ],
      self.class
    )
  end

  def internal_port
    @internal_port ||= datastore['INTERNAL_PORT']
  end

  def internal_client
    @internal_client ||= datastore['INTERNAL_CLIENT']
  end

  def external_port
    @external_port ||= datastore['EXTERNAL_PORT']
  end

  def external_client
    @external_client ||= datastore['EXTERNAL_CLIENT']
  end

  def lease_duration
    @lease_duration ||= datastore['LEASE_DURATION']
  end

  def protocol
    @protocol ||= datastore['PROTOCOL']
  end

  def soap_action
    @soap_action ||= action.opts['SOAP_ACTION']
  end

  def build_soap
    builder = ::Nokogiri::XML::Builder.new do |xml|
      xml['SOAP-ENV'].Envelope('xmlns:SOAP-ENV' => 'http://schemas.xmlsoap.org/soap/envelope', 'SOAP-ENV:encodingStyle' => 'http://schemas.xmlsoap.org/soap/encoding/') do
        xml['SOAP-ENV'].Body do
          xml['m'].send(soap_action, 'xmlns:m' => 'urn:schemas-upnp-org:service:WANIPConnection:1') do
            case action.name
            when 'ADD'
              xml.NewPortMappingDescription(Rex::Text.rand_text_alpha(8)) { xml.parent.namespace = nil }
              xml.NewLeaseDuration(lease_duration) { xml.parent.namespace = nil }
              xml.NewInternalClient(internal_client) { xml.parent.namespace = nil }
              xml.NewEnabled(1) { xml.parent.namespace = nil }
              xml.NewExternalPort(external_port) { xml.parent.namespace = nil }
              xml.NewRemoteHost(external_client) { xml.parent.namespace = nil }
              xml.NewProtocol(protocol) { xml.parent.namespace = nil }
              xml.NewInternalPort(internal_port) { xml.parent.namespace = nil }
            when 'DELETE'
              xml.NewExternalPort(external_port) { xml.parent.namespace = nil }
              xml.NewRemoteHost(external_client) { xml.parent.namespace = nil }
              xml.NewProtocol(protocol) { xml.parent.namespace = nil }
            end
          end
        end
      end
    end
    builder.to_xml
  end

  def run
    res = send_request_cgi(
      'uri'           => normalize_uri(target_uri.path),
      'method'        => 'POST',
      'content-type'  => 'text/xml;charset="utf-8"',
      'data'          => build_soap,
      'headers'       => {
        'SoapAction'  => "urn:schemas-upnp-org:service:WANIPConnection:1##{soap_action}"
      }
    )

    external_map = "#{external_client ? external_client : 'any'}:#{external_port}/#{protocol}"
    internal_map = "#{internal_client ? internal_client : 'any'}:#{internal_port}/#{protocol}"
    map = "#{external_map} -> #{internal_map}"

    if res
      if res.code == 200
        print_good("#{peer} #{map} #{action.name} succeeded")
      else
        print_error("#{peer} #{map} #{action.name} failed with response code #{res.code}")
        vprint_status("#{res.body}")
      end
    else
      print_error("#{peer} no response for #{map} #{action.name}")
    end
  end
end
Create soap_addportmapping.rb 2015-07-26 18:59:04 +00:00			`##`
			`# encoding: utf-8`
			`# This module requires Metasploit: http://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`
Nokogiri::XML::Builder instead 2015-09-17 02:53:33 +00:00			`require 'nokogiri'`
Use random port mapping description 2015-08-28 22:09:58 +00:00
Create soap_addportmapping.rb 2015-07-26 18:59:04 +00:00			`class Metasploit3 < Msf::Auxiliary`
Convert to using HttpClient 2015-08-28 21:47:13 +00:00			`include Msf::Exploit::Remote::HttpClient`
Create soap_addportmapping.rb 2015-07-26 18:59:04 +00:00
First pass at style cleanup 2015-08-28 21:19:28 +00:00			`def initialize`
			`super(`
Better name, description and author 2015-08-31 17:42:50 +00:00			`'Name' => 'UPnP IGD SOAP Port Mapping Utility',`
Fix metadata 2015-09-25 18:34:16 +00:00			`'Description' => %q{`
			`Manage port mappings on UPnP IGD-capable device using the AddPortMapping and`
			`DeletePortMapping SOAP requests`
			`},`
Better name, description and author 2015-08-31 17:42:50 +00:00			`'Author' =>`
			`[`
			`'St0rn <fabien[at]anbu-pentest.com>', # initial module`
			`'Jon Hart <jon_hart[at]rapid7.com>' # module cleanup and refactoring`
			`],`
Add add/delete action. update logging. rename module again 2015-08-31 17:22:36 +00:00			`'License' => MSF_LICENSE,`
Add Reference 2015-08-31 19:03:17 +00:00			`'References' => [['URL', 'http://www.upnp-hacks.org/igd.html']],`
Better name, description and author 2015-08-31 17:42:50 +00:00			`'DefaultAction' => 'ADD',`
Add add/delete action. update logging. rename module again 2015-08-31 17:22:36 +00:00			`'Actions' =>`
			`[`
			`[ 'ADD',`
			`{`
			`'Description' => 'Use the AddPortMapping SOAP command to open and forward a port',`
			`'SOAP_ACTION' => 'AddPortMapping'`
			`}`
			`],`
			`[ 'DELETE',`
			`{`
			`'Description' => 'Use the DeletePortMapping SOAP command to remove a port forwarding',`
			`'SOAP_ACTION' => 'DeletePortMapping'`
			`}`
			`]`
			`],`
First pass at style cleanup 2015-08-28 21:19:28 +00:00			`)`
Add add/delete action. update logging. rename module again 2015-08-31 17:22:36 +00:00
First pass at style cleanup 2015-08-28 21:19:28 +00:00			`register_options(`
Create soap_addportmapping.rb 2015-07-26 18:59:04 +00:00			`[`
More minor style cleanup 2015-08-28 21:49:57 +00:00			`OptString.new('TARGETURI', [true, 'UPnP control URL', '/' ]),`
Use an OptAddress instead, revert back to client name 2015-08-28 22:43:04 +00:00			`OptAddress.new('INTERNAL_CLIENT', [false, 'Internal client hostname/IP']),`
Restore required option 2015-09-25 18:41:27 +00:00			`OptAddress.new('EXTERNAL_CLIENT', [false, 'External client hostname/IP']),`
Add support for specifying protocol UDP is fun too. Are there others? 2015-08-28 21:53:41 +00:00			`OptEnum.new('PROTOCOL', [true, 'Transport level protocol to map', 'TCP', %w(TCP UDP)]),`
Make INTERNAL_PORT optional, allowing DELETE to work 2015-08-31 18:30:18 +00:00			`OptInt.new('INTERNAL_PORT', [false, 'Internal port']),`
Use an OptAddress instead, revert back to client name 2015-08-28 22:43:04 +00:00			`OptInt.new('EXTERNAL_PORT', [true, 'External port']),`
Fix metadata 2015-09-25 18:34:16 +00:00			`OptInt.new('LEASE_DURATION', [false, 'Lease time for mapping, in seconds', 3600])`
First pass at style cleanup 2015-08-28 21:19:28 +00:00			`],`
			`self.class`
			`)`
			`end`
Create soap_addportmapping.rb 2015-07-26 18:59:04 +00:00
Make most everything configurable and provide useful output 2015-08-28 22:36:49 +00:00			`def internal_port`
			`@internal_port \|\|= datastore['INTERNAL_PORT']`
			`end`

Use an OptAddress instead, revert back to client name 2015-08-28 22:43:04 +00:00			`def internal_client`
			`@internal_client \|\|= datastore['INTERNAL_CLIENT']`
Make most everything configurable and provide useful output 2015-08-28 22:36:49 +00:00			`end`

			`def external_port`
			`@external_port \|\|= datastore['EXTERNAL_PORT']`
			`end`

Use an OptAddress instead, revert back to client name 2015-08-28 22:43:04 +00:00			`def external_client`
			`@external_client \|\|= datastore['EXTERNAL_CLIENT']`
Make most everything configurable and provide useful output 2015-08-28 22:36:49 +00:00			`end`

			`def lease_duration`
			`@lease_duration \|\|= datastore['LEASE_DURATION']`
			`end`

			`def protocol`
			`@protocol \|\|= datastore['PROTOCOL']`
Add support for specifying protocol UDP is fun too. Are there others? 2015-08-28 21:53:41 +00:00			`end`

Add add/delete action. update logging. rename module again 2015-08-31 17:22:36 +00:00			`def soap_action`
			`@soap_action \|\|= action.opts['SOAP_ACTION']`
			`end`

Nokogiri::XML::Builder instead 2015-09-17 02:53:33 +00:00			`def build_soap`
			`builder = ::Nokogiri::XML::Builder.new do \|xml\|`
Use single quotes 2015-09-25 18:35:38 +00:00			`xml['SOAP-ENV'].Envelope('xmlns:SOAP-ENV' => 'http://schemas.xmlsoap.org/soap/envelope', 'SOAP-ENV:encodingStyle' => 'http://schemas.xmlsoap.org/soap/encoding/') do`
Nokogiri::XML::Builder instead 2015-09-17 02:53:33 +00:00			`xml['SOAP-ENV'].Body do`
			`xml['m'].send(soap_action, 'xmlns:m' => 'urn:schemas-upnp-org:service:WANIPConnection:1') do`
			`case action.name`
			`when 'ADD'`
			`xml.NewPortMappingDescription(Rex::Text.rand_text_alpha(8)) { xml.parent.namespace = nil }`
			`xml.NewLeaseDuration(lease_duration) { xml.parent.namespace = nil }`
			`xml.NewInternalClient(internal_client) { xml.parent.namespace = nil }`
			`xml.NewEnabled(1) { xml.parent.namespace = nil }`
			`xml.NewExternalPort(external_port) { xml.parent.namespace = nil }`
			`xml.NewRemoteHost(external_client) { xml.parent.namespace = nil }`
			`xml.NewProtocol(protocol) { xml.parent.namespace = nil }`
			`xml.NewInternalPort(internal_port) { xml.parent.namespace = nil }`
			`when 'DELETE'`
			`xml.NewExternalPort(external_port) { xml.parent.namespace = nil }`
			`xml.NewRemoteHost(external_client) { xml.parent.namespace = nil }`
			`xml.NewProtocol(protocol) { xml.parent.namespace = nil }`
			`end`
			`end`
			`end`
			`end`
Add add/delete action. update logging. rename module again 2015-08-31 17:22:36 +00:00			`end`
Nokogiri::XML::Builder instead 2015-09-17 02:53:33 +00:00			`builder.to_xml`
			`end`
Clean up map description 2015-08-28 22:49:29 +00:00
Nokogiri::XML::Builder instead 2015-09-17 02:53:33 +00:00			`def run`
Convert to using HttpClient 2015-08-28 21:47:13 +00:00			`res = send_request_cgi(`
More minor style cleanup 2015-08-28 21:49:57 +00:00			`'uri' => normalize_uri(target_uri.path),`
			`'method' => 'POST',`
			`'content-type' => 'text/xml;charset="utf-8"',`
Nokogiri::XML::Builder instead 2015-09-17 02:53:33 +00:00			`'data' => build_soap,`
More minor style cleanup 2015-08-28 21:49:57 +00:00			`'headers' => {`
Add add/delete action. update logging. rename module again 2015-08-31 17:22:36 +00:00			`'SoapAction' => "urn:schemas-upnp-org:service:WANIPConnection:1##{soap_action}"`
Convert to using HttpClient 2015-08-28 21:47:13 +00:00			`}`
			`)`
Create soap_addportmapping.rb 2015-07-26 18:59:04 +00:00
Add add/delete action. update logging. rename module again 2015-08-31 17:22:36 +00:00			`external_map = "#{external_client ? external_client : 'any'}:#{external_port}/#{protocol}"`
			`internal_map = "#{internal_client ? internal_client : 'any'}:#{internal_port}/#{protocol}"`
			`map = "#{external_map} -> #{internal_map}"`

Convert to using HttpClient 2015-08-28 21:47:13 +00:00			`if res`
			`if res.code == 200`
Add add/delete action. update logging. rename module again 2015-08-31 17:22:36 +00:00			`print_good("#{peer} #{map} #{action.name} succeeded")`
Convert to using HttpClient 2015-08-28 21:47:13 +00:00			`else`
print the body as verbose 2015-09-25 18:51:18 +00:00			`print_error("#{peer} #{map} #{action.name} failed with response code #{res.code}")`
			`vprint_status("#{res.body}")`
Convert to using HttpClient 2015-08-28 21:47:13 +00:00			`end`
First pass at style cleanup 2015-08-28 21:19:28 +00:00			`else`
Add add/delete action. update logging. rename module again 2015-08-31 17:22:36 +00:00			`print_error("#{peer} no response for #{map} #{action.name}")`
First pass at style cleanup 2015-08-28 21:19:28 +00:00			`end`
			`end`
Create soap_addportmapping.rb 2015-07-26 18:59:04 +00:00			`end`