Make status code checking configurable

jhart-r7 · jhart-r7 · commit 3489ea540ec4 · 2015-01-15T12:22:16.000-08:00
diff --git a/modules/auxiliary/scanner/http/allegro_rompager_misfortune_cookie.rb b/modules/auxiliary/scanner/http/allegro_rompager_misfortune_cookie.rb
@@ -40,6 +40,12 @@ def initialize(info = {})
         OptString.new('TARGETURI', [true, 'URI to test', '/'])
       ], Exploit::Remote::HttpClient
     )
+
+    register_advanced_options(
+      [
+        OptString.new('STATUS_CODES_REGEX', [true, 'Ensure that canary pages and probe responses have status codes that match this regex', '^4\d{3}$'])
+      ], self.class
+    )
   end
 
   def check_host(_ip)
@@ -62,6 +68,10 @@ def run_host(ip)
     end
   end
 
+  def setup
+    @status_codes_regex = Regexp.new(datastore['STATUS_CODES_REGEX'])
+  end
+
   # Fingerprints the provided HTTP response and returns
   # Exploit::CheckCode::Appears if it is a vulnerable version of RomPager,
   # otherwise returns the provided fall-back status.
@@ -86,9 +96,9 @@ def find_canary
         'headers' => headers
       )
       # in most cases, the canary URI will not exist and will return a 404, but
-      # if everything under TARGETURI is protected by auth, that may be fine
-      # too
-      return canary if res && (res.code == 401 || res.code == 404)
+      # if everything under TARGETURI is protected by auth, a 401 may be OK too.
+      # but, regardless, respect the configuration set for this module
+      return canary if res && res.code.to_s =~ @status_codes_regex
     end
     nil
   end
@@ -107,7 +117,7 @@ def headers
   # overwrote RomPager's concept of the requested URI, indicating that it is
   # vulnerable.
   def test_misfortune
-    # find a usable canary URI (one that returns a 404 already)
+    # find a usable canary URI (one that returns an acceptable status code already)
     unless (canary_value = find_canary)
       vprint_error("#{peer} Unable to find a suitable canary URI")
       return Exploit::CheckCode::Unknown
@@ -129,7 +139,7 @@ def test_misfortune
       return Exploit::CheckCode::Unknown
     end
 
-    unless res.code == 404
+    unless res.code.to_s =~ @status_codes_regex
       vprint_status("#{full_uri} unexpected HTTP code #{res.code} response")
       return check_response_fingerprint(res, Exploit::CheckCode::Detected)
     end
