second release module

Author: h00die-gr3y

modules/exploits/linux/http/acronis_cyber_infra_cve_2023_45249.rb

@@ -25,11 +25,11 @@ def initialize(info = {})
         'Description' => %q{
           Acronis Cyber Infrastructure (ACI) is an IT infrastructure solution that provides storage,
           compute, and network resources. Businesses and Service Providers are using it for data storage,
-          backup storage, creating and managing virtual machines and software-defined networks,running
+          backup storage, creating and managing virtual machines and software-defined networks, running
           cloud-native applications in production environments.
           This module exploits a default password vulnerability in ACI which allow an attacker to access
-          the ACI PostgreSQL database and gain administrative access to the ACI Admin Portal.
-          This opens the door for the attacker to upload ssh keys that enables addministrative root acces
+          the ACI PostgreSQL database and gain administrative access to the ACI Web Portal.
+          This opens the door for the attacker to upload ssh keys that enables root acces
           to the appliance/server. This attack can be remotely executed over the WAN as long as the
           PostgreSQL and SSH services are exposed to the outside world.
           ACI versions 5.0 before build 5.0.1-61, 5.1 before build 5.1.1-71, 5.2 before build 5.2.1-69,
@@ -236,21 +236,39 @@ def execute_command(cmd, _opts = {})
     @timeout = true
   end
 
-  def check_port(port)
-    # checks network port and return true if open and false if closed.
-    Timeout.timeout(datastore['ConnectTimeout']) do
-      TCPSocket.new(datastore['RHOST'], port).close
-      return true
-    rescue StandardError
-      return false
+  def get_aci_version
+    # Return ACI version-release or nil if not found
+    version_release = nil
+    res = send_request_cgi({
+      'method' => 'GET',
+      'ctype' => 'application/json',
+      'headers' => {
+        'X-Requested-With' => 'XMLHttpRequest'
+      },
+      'uri' => normalize_uri(target_uri.path, 'api', 'v2', 'about')
+    })
+    if res&.code == 200 && res.body.include?('storage-release')
+      # parse json response and get the version
+      res_json = res.get_json_document
+      unless res_json.blank?
+        version = res_json['storage-release']['version']
+        release = res_json['storage-release']['release']
+        version_release = Rex::Version.new("#{version}-#{release}".gsub(/[[:space:]]/, '')) unless version.nil? || release.nil?
+      end
+      return version_release
     end
-  rescue Timeout::Error
-    return false
   end
 
   def check
-    # TODO: Improve check
-    CheckCode::Appears
+    version_release = get_aci_version
+    return CheckCode::Unknown('Could not retrieve the version information.') if version_release.nil?
+    return CheckCode::Safe("Version #{version_release}") if version_release >= Rex::Version.new('5.0.1-61')
+    return CheckCode::Safe("Version #{version_release}") if version_release >= Rex::Version.new('5.1.1-71')
+    return CheckCode::Safe("Version #{version_release}") if version_release >= Rex::Version.new('5.2.1-69')
+    return CheckCode::Safe("Version #{version_release}") if version_release >= Rex::Version.new('5.3.1-53')
+    return CheckCode::Safe("Version #{version_release}") if version_release >= Rex::Version.new('5.4.4-132')
+
+    CheckCode::Appears("Version #{version_release}")
   end
 
   def exploit