Process escape sequences in the wordlist

rapid7 · Sep 12, 2023 · c1cabdf · c1cabdf
1 parent 325910b
commit c1cabdf
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 8 deletions.
diff --git a/documentation/modules/auxiliary/gather/apache_superset_cookie_sig_priv_esc.md b/documentation/modules/auxiliary/gather/apache_superset_cookie_sig_priv_esc.md
@@ -51,7 +51,7 @@ The ID of an admin account. Defaults to `1`
 
 ### SECRET_KEYS_FILE
 
-A file containing secret keys to try. One per line. Defaults to `metasploit-framework/data/wordlists/superset_secret_keys.tx`
+A file containing secret keys to try. One per line. Defaults to `metasploit-framework/data/wordlists/superset_secret_keys.txt`
 
 ## Scenarios
 

diff --git a/documentation/modules/auxiliary/gather/python_flask_cookie_signer.md b/documentation/modules/auxiliary/gather/python_flask_cookie_signer.md
@@ -62,7 +62,7 @@ When action is set to `Resign`, the cookie is signed with this secret.
 
 ### SECRET_KEYS_FILE
 
-When action is set to `FindSecret`, a file containing secret keys to try. One per line. Defaults to `metasploit-framework/data/wordlists/flask_secret_keys.tx`
+When action is set to `FindSecret`, a file containing secret keys to try. One per line. Defaults to `metasploit-framework/data/wordlists/flask_secret_keys.txt`
 
 ## Scenarios
 

diff --git a/modules/auxiliary/gather/apache_superset_cookie_sig_priv_esc.rb b/modules/auxiliary/gather/apache_superset_cookie_sig_priv_esc.rb
@@ -80,8 +80,9 @@ def get_secret_key(cookie)
       secret = secret.strip
       vprint_status("#{peer} - Checking secret key: #{secret}")
 
-      unless Msf::Exploit::Remote::HTTP::FlaskUnsign::Session.valid?(cookie, secret)
-        vprint_bad("#{peer} - Incorrect Secret Key: #{secret}")
+      unescaped_secret = Rex::Text.dehex(secret.gsub('\\', '\\').gsub('\\n', "\n").gsub('\\t', "\t"))
+      unless Msf::Exploit::Remote::HTTP::FlaskUnsign::Session.valid?(cookie, unescaped_secret)
+        vprint_bad("#{peer} - Incorrect secret key: #{secret}")
         next
       end
 

diff --git a/modules/auxiliary/gather/python_flask_cookie_signer.rb b/modules/auxiliary/gather/python_flask_cookie_signer.rb
@@ -83,8 +83,9 @@ def action_find_secret
       secret = secret.strip
       vprint_status("#{peer} - Checking secret key: #{secret}")
 
-      unless Msf::Exploit::Remote::HTTP::FlaskUnsign::Session.valid?(cookie, secret)
-        vprint_bad("#{peer} - Incorrect Secret Key: #{secret}")
+      unescaped_secret = unescape_string(secret)
+      unless Msf::Exploit::Remote::HTTP::FlaskUnsign::Session.valid?(cookie, unescaped_secret)
+        vprint_bad("#{peer} - Incorrect secret key: #{secret}")
         next
       end
 
@@ -118,8 +119,8 @@ def action_retrieve
     print_status("#{peer} - Decoded Cookie: #{decoded_cookie}")
 
     # use dehex to allow \x style escape sequences for unprintable chars
-    secret = Rex::Text.dehex(datastore['SECRET'])
-    salt = Rex::Text.dehex(datastore['Salt'])
+    secret = unescape_string(datastore['SECRET'])
+    salt = unescape_string(datastore['Salt'])
 
     if Msf::Exploit::Remote::HTTP::FlaskUnsign::Session.valid?(cookie, secret, salt: salt)
       print_good("#{peer} - Secret key #{secret.inspect} is correct.")
@@ -142,4 +143,8 @@ def run
       print_good("#{peer} - New signed cookie: #{datastore['CookieName']}=#{encoded_cookie}")
     end
   end
+
+  def unescape_string(string)
+    Rex::Text.dehex(string.gsub('\\', '\\').gsub('\\n', "\n").gsub('\\t', "\t"))
+  end
 end