|
5 | 5 | ## |
6 | 6 |
|
7 | 7 | require 'msf/core' |
| 8 | +require 'nokogiri' |
8 | 9 |
|
9 | 10 | class Metasploit3 < Msf::Auxiliary |
10 | 11 | include Msf::Exploit::Remote::HttpClient |
@@ -80,35 +81,39 @@ def soap_action |
80 | 81 | @soap_action ||= action.opts['SOAP_ACTION'] |
81 | 82 | end |
82 | 83 |
|
83 | | - def run |
84 | | - content = "<?xml version=\"1.0\"?>" |
85 | | - content << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">" |
86 | | - content << "<SOAP-ENV:Body>" |
87 | | - content << "<m:#{soap_action} xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">" |
88 | | - case action.name |
89 | | - when 'ADD' |
90 | | - content << "<NewPortMappingDescription>#{Rex::Text.rand_text_alpha(8)}</NewPortMappingDescription>" |
91 | | - content << "<NewLeaseDuration>#{lease_duration}</NewLeaseDuration>" |
92 | | - content << "<NewInternalClient>#{internal_client}</NewInternalClient>" |
93 | | - content << "<NewEnabled>1</NewEnabled>" |
94 | | - content << "<NewExternalPort>#{external_port}</NewExternalPort>" |
95 | | - content << "<NewRemoteHost>#{external_client}</NewRemoteHost>" |
96 | | - content << "<NewProtocol>#{protocol}</NewProtocol>" |
97 | | - content << "<NewInternalPort>#{internal_port}</NewInternalPort>" |
98 | | - when 'DELETE' |
99 | | - content << "<NewExternalPort>#{external_port}</NewExternalPort>" |
100 | | - content << "<NewRemoteHost>#{external_client}</NewRemoteHost>" |
101 | | - content << "<NewProtocol>#{protocol}</NewProtocol>" |
| 84 | + def build_soap |
| 85 | + builder = ::Nokogiri::XML::Builder.new do |xml| |
| 86 | + xml['SOAP-ENV'].Envelope("xmlns:SOAP-ENV" => 'http://schemas.xmlsoap.org/soap/envelope', 'SOAP-ENV:encodingStyle' => 'http://schemas.xmlsoap.org/soap/encoding/') do |
| 87 | + xml['SOAP-ENV'].Body do |
| 88 | + xml['m'].send(soap_action, 'xmlns:m' => 'urn:schemas-upnp-org:service:WANIPConnection:1') do |
| 89 | + case action.name |
| 90 | + when 'ADD' |
| 91 | + xml.NewPortMappingDescription(Rex::Text.rand_text_alpha(8)) { xml.parent.namespace = nil } |
| 92 | + xml.NewLeaseDuration(lease_duration) { xml.parent.namespace = nil } |
| 93 | + xml.NewInternalClient(internal_client) { xml.parent.namespace = nil } |
| 94 | + xml.NewEnabled(1) { xml.parent.namespace = nil } |
| 95 | + xml.NewExternalPort(external_port) { xml.parent.namespace = nil } |
| 96 | + xml.NewRemoteHost(external_client) { xml.parent.namespace = nil } |
| 97 | + xml.NewProtocol(protocol) { xml.parent.namespace = nil } |
| 98 | + xml.NewInternalPort(internal_port) { xml.parent.namespace = nil } |
| 99 | + when 'DELETE' |
| 100 | + xml.NewExternalPort(external_port) { xml.parent.namespace = nil } |
| 101 | + xml.NewRemoteHost(external_client) { xml.parent.namespace = nil } |
| 102 | + xml.NewProtocol(protocol) { xml.parent.namespace = nil } |
| 103 | + end |
| 104 | + end |
| 105 | + end |
| 106 | + end |
102 | 107 | end |
103 | | - content << "</m:#{soap_action}>" |
104 | | - content << "</SOAP-ENV:Body>" |
105 | | - content << "</SOAP-ENV:Envelope>" |
| 108 | + builder.to_xml |
| 109 | + end |
106 | 110 |
|
| 111 | + def run |
107 | 112 | res = send_request_cgi( |
108 | 113 | 'uri' => normalize_uri(target_uri.path), |
109 | 114 | 'method' => 'POST', |
110 | 115 | 'content-type' => 'text/xml;charset="utf-8"', |
111 | | - 'data' => content, |
| 116 | + 'data' => build_soap, |
112 | 117 | 'headers' => { |
113 | 118 | 'SoapAction' => "urn:schemas-upnp-org:service:WANIPConnection:1##{soap_action}" |
114 | 119 | } |
|
0 commit comments