# -*- coding: binary -*- module Msf ### # # This module exposes methods that may be useful to exploits that deal with # servers that speak the telnet protocol. # ### module Exploit::Remote::Web include Exploit::Remote::Tcp include Exploit::Remote::HttpClient # Default value for #web_payload_stub WEB_PAYLOAD_STUB = '!payload!' # # Optional stub to be replaced with the exploit payload. # # Default stub is 'WEB_PAYLOAD_STUB'. # attr_accessor :web_payload_stub # Creates an instance of a Telnet exploit module. # def initialize( info = {} ) super register_options([ OptString.new( 'PATH', [ true, 'The path to the vulnerable script.', '/' ] ), OptString.new( 'GET', [ false, "GET parameters. ('foo=bar&vuln=#{WEB_PAYLOAD_STUB}', #{WEB_PAYLOAD_STUB} will be substituted with the payload.)", "" ] ), OptString.new( 'POST', [ false, "POST parameters. ('foo=bar&vuln=#{WEB_PAYLOAD_STUB}', #{WEB_PAYLOAD_STUB} will be substituted with the payload.)", "" ] ), OptString.new( 'COOKIES', [ false, "Cookies to be sent with the request. ('foo=bar;vuln=#{WEB_PAYLOAD_STUB}', #{WEB_PAYLOAD_STUB} will be substituted with the payload.)", "" ] ), OptString.new( 'HEADERS', [ false, "Headers to be sent with the request. ('User-Agent=bar&vuln=#{WEB_PAYLOAD_STUB}', #{WEB_PAYLOAD_STUB} will be substituted with the payload.)", "" ] ), ], self.class ) self.web_payload_stub = WEB_PAYLOAD_STUB end def path Rex::Text.uri_encode( substitute_web_payload_stub( datastore['PATH'] ) ) end def get substitute_in_hash( parse_query( datastore['GET'] ) ) end def post substitute_in_hash( parse_query( datastore['POST'] ) ) end def cookies substitute_web_payload_stub( datastore['COOKIES'], ',;' ) end def headers substitute_in_hash( parse_query( datastore['HEADERS'] ) ) end def method post.empty? ? 'GET' : 'POST' end def check path = datastore['PATH'] print_status "Checking #{path}" response = send_request_raw( 'uri' => path ) return Exploit::CheckCode::Detected if response.code == 200 print_error "Server responded with #{response.code}" Exploit::CheckCode::Unknown end def exploit print_status "Sending HTTP request for #{path}" if res = perform_request print_status "The server responded with HTTP status code #{res.code}." else print_status 'The server did not respond to our request.' end handler end def tries 1 end private def perform_request send_request_cgi({ 'global' => true, 'uri' => path, 'method' => method, 'vars_get' => get, 'vars_post' => post, 'headers' => headers, 'cookie' => cookies }, 0.01 ) end # # Converts a URI query string into a key=>value hash. # def parse_query( query, sep = '&' ) query = query.to_s return {} if query.empty? query.split( sep ).inject({}) do |h, part| k, v = part.split( '=', 2 ) h[k.to_s] = v.to_s h end end # # With what to replace 'WEB_PAYLOAD_STUB'. # # By default returns 'payload.encoded', override as needed. # def stub_value payload.encoded end # # Substitutes 'web_payload_stub' with the exploit payload. # def substitute_web_payload_stub( str, escape = '' ) value = stub_value value = URI.encode( stub_value, escape ) if !escape.empty? str.to_s.gsub( web_payload_stub, value ) end def substitute_in_hash( hash ) hash.inject({}) do |h, (k, v)| h[substitute_web_payload_stub( k )] = substitute_web_payload_stub( v ) h end end end end