diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json index 93fb6d632b24..10a0d26a5f1e 100644 --- a/db/modules_metadata_base.json +++ b/db/modules_metadata_base.json @@ -24023,7 +24023,7 @@ "https" ], "targets": null, - "mod_time": "2024-07-18 11:56:22 +0000", + "mod_time": "2024-07-19 12:33:13 +0000", "path": "/modules/auxiliary/gather/magento_xxe_cve_2024_34102.rb", "is_install_path": true, "ref_name": "gather/magento_xxe_cve_2024_34102", @@ -63691,7 +63691,7 @@ "autofilter_ports": null, "autofilter_services": null, "targets": null, - "mod_time": "2024-08-27 10:27:45 +0000", + "mod_time": "2024-09-05 11:00:56 +0000", "path": "/modules/encoders/php/base64.rb", "is_install_path": true, "ref_name": "php/base64", @@ -71102,7 +71102,7 @@ "CMD", "Linux mipsel Payload" ], - "mod_time": "2020-10-02 17:38:06 +0000", + "mod_time": "2024-07-26 17:30:25 +0000", "path": "/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb", "is_install_path": true, "ref_name": "linux/http/dlink_diagnostic_exec_noauth", @@ -71260,7 +71260,7 @@ "CMD", "Linux mipsel Payload" ], - "mod_time": "2020-10-02 17:38:06 +0000", + "mod_time": "2024-07-26 17:30:25 +0000", "path": "/modules/exploits/linux/http/dlink_dir615_up_exec.rb", "is_install_path": true, "ref_name": "linux/http/dlink_dir615_up_exec", @@ -71746,7 +71746,7 @@ "Dlink DIR-818 / 822 / 823 / 850 [MIPS]", "Dlink DIR-868 (rev. B and C) / 880 / 885 / 890 / 895 [ARM]" ], - "mod_time": "2020-10-02 17:38:06 +0000", + "mod_time": "2024-09-05 08:49:32 +0000", "path": "/modules/exploits/linux/http/dlink_hnap_login_bof.rb", "is_install_path": true, "ref_name": "linux/http/dlink_hnap_login_bof", @@ -75856,7 +75856,7 @@ "CMD", "Linux mipsel Payload" ], - "mod_time": "2020-10-02 17:38:06 +0000", + "mod_time": "2024-07-26 17:30:25 +0000", "path": "/modules/exploits/linux/http/linksys_e1500_apply_exec.rb", "is_install_path": true, "ref_name": "linux/http/linksys_e1500_apply_exec", @@ -76078,7 +76078,7 @@ "CMD", "Linux mipsel Payload" ], - "mod_time": "2020-10-02 17:38:06 +0000", + "mod_time": "2024-07-26 17:30:25 +0000", "path": "/modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb", "is_install_path": true, "ref_name": "linux/http/linksys_wrt54gl_apply_exec", @@ -77676,7 +77676,7 @@ "CMD", "Linux mipsbe Payload" ], - "mod_time": "2020-10-02 17:38:06 +0000", + "mod_time": "2024-07-26 17:30:25 +0000", "path": "/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb", "is_install_path": true, "ref_name": "linux/http/netgear_dgn1000b_setup_exec", @@ -77730,7 +77730,7 @@ "CMD", "Linux mipsbe Payload" ], - "mod_time": "2020-10-02 17:38:06 +0000", + "mod_time": "2024-07-26 17:30:25 +0000", "path": "/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb", "is_install_path": true, "ref_name": "linux/http/netgear_dgn2200b_pppoe_exec", @@ -83221,7 +83221,7 @@ "targets": [ "Automatic" ], - "mod_time": "2022-03-11 12:17:30 +0000", + "mod_time": "2024-09-05 08:49:32 +0000", "path": "/modules/exploits/linux/http/vestacp_exec.rb", "is_install_path": true, "ref_name": "linux/http/vestacp_exec", @@ -93255,7 +93255,7 @@ "targets": [ "Linux x86" ], - "mod_time": "2023-01-04 14:45:58 +0000", + "mod_time": "2024-07-26 17:30:25 +0000", "path": "/modules/exploits/linux/smtp/exim4_dovecot_exec.rb", "is_install_path": true, "ref_name": "linux/smtp/exim4_dovecot_exec", @@ -100063,7 +100063,7 @@ "targets": [ "Bassmaster <= 1.5.1" ], - "mod_time": "2020-10-02 17:38:06 +0000", + "mod_time": "2024-07-26 17:30:25 +0000", "path": "/modules/exploits/multi/http/bassmaster_js_injection.rb", "is_install_path": true, "ref_name": "multi/http/bassmaster_js_injection", @@ -106532,7 +106532,7 @@ "Unix CMD", "Linux Payload" ], - "mod_time": "2022-03-11 12:08:51 +0000", + "mod_time": "2024-07-26 17:30:25 +0000", "path": "/modules/exploits/multi/http/mutiny_subnetmask_exec.rb", "is_install_path": true, "ref_name": "multi/http/mutiny_subnetmask_exec", @@ -109785,7 +109785,7 @@ "targets": [ "Ruby on Rails 4.0.8 July 2, 2014" ], - "mod_time": "2020-10-02 17:38:06 +0000", + "mod_time": "2024-07-26 17:30:25 +0000", "path": "/modules/exploits/multi/http/rails_dynamic_render_code_exec.rb", "is_install_path": true, "ref_name": "multi/http/rails_dynamic_render_code_exec", @@ -111785,7 +111785,7 @@ "Windows", "Linux" ], - "mod_time": "2021-10-06 13:43:31 +0000", + "mod_time": "2024-07-26 17:30:25 +0000", "path": "/modules/exploits/multi/http/struts_default_action_mapper.rb", "is_install_path": true, "ref_name": "multi/http/struts_default_action_mapper", @@ -112868,7 +112868,7 @@ "targets": [ "Trend Micro Threat Discovery Appliance 2.6.1062r1" ], - "mod_time": "2020-10-02 17:38:06 +0000", + "mod_time": "2024-07-26 17:30:25 +0000", "path": "/modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb", "is_install_path": true, "ref_name": "multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi", @@ -116861,7 +116861,7 @@ "Linux (Command)", "AIX (Command)" ], - "mod_time": "2023-02-08 15:46:07 +0000", + "mod_time": "2024-09-05 08:49:32 +0000", "path": "/modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb", "is_install_path": true, "ref_name": "multi/misc/ibm_tm1_unauth_rce", @@ -119290,7 +119290,7 @@ "Linux", "Windows Universal" ], - "mod_time": "2020-10-02 17:38:06 +0000", + "mod_time": "2024-07-26 17:30:25 +0000", "path": "/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb", "is_install_path": true, "ref_name": "multi/sap/sap_mgmt_con_osexec_payload", @@ -166383,7 +166383,7 @@ "targets": [ "Windows Command" ], - "mod_time": "2024-07-24 16:42:43 +0000", + "mod_time": "2024-09-05 08:49:32 +0000", "path": "/modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb", "is_install_path": true, "ref_name": "windows/http/manageengine_adaudit_plus_cve_2022_28219", @@ -174068,7 +174068,7 @@ "URL-https://github.com/FuzzySecurity/Defcon25/Defcon25_UAC-0day-All-Day_v1.2.pdf" ], "platform": "Windows", - "arch": "", + "arch": "x86, x64", "rport": null, "autofilter_ports": [ @@ -174079,7 +174079,7 @@ "targets": [ "Automatic" ], - "mod_time": "2023-07-21 15:34:49 +0000", + "mod_time": "2024-09-04 23:49:33 +0000", "path": "/modules/exploits/windows/local/bypassuac_comhijack.rb", "is_install_path": true, "ref_name": "windows/local/bypassuac_comhijack", diff --git a/lib/msf/core/exploit/remote/http_server.rb b/lib/msf/core/exploit/remote/http_server.rb index 5b771c2b1d37..50ea6ac3664a 100644 --- a/lib/msf/core/exploit/remote/http_server.rb +++ b/lib/msf/core/exploit/remote/http_server.rb @@ -116,6 +116,9 @@ def check_dependencies # completely on the datastore. (See dlink_upnp_exec_noauth) def start_service(opts = {}) + # Keep compatibility with modules that don't pass the ssl option to the start server but rely on the datastore instead. + opts['ssl'] = opts['ssl'].nil? ? datastore['SSL'] : opts['ssl'] + check_dependencies # Start a new HTTP server service. @@ -123,7 +126,7 @@ def start_service(opts = {}) Rex::Proto::Http::Server, (opts['ServerPort'] || bindport).to_i, opts['ServerHost'] || bindhost, - datastore['SSL'], # XXX: Should be in opts, need to test this + opts['ssl'], { 'Msf' => framework, 'MsfExploit' => self, @@ -149,7 +152,7 @@ def start_service(opts = {}) 'Path' => opts['Path'] || resource_uri }.update(opts['Uri'] || {}) - proto = (datastore["SSL"] ? "https" : "http") + proto = (opts['ssl'] ? "https" : "http") # SSLCompression may or may not actually be available. For example, on # Ubuntu, it's disabled by default, unless the correct environment diff --git a/modules/auxiliary/gather/magento_xxe_cve_2024_34102.rb b/modules/auxiliary/gather/magento_xxe_cve_2024_34102.rb index c9480526fe33..f30a057404c4 100644 --- a/modules/auxiliary/gather/magento_xxe_cve_2024_34102.rb +++ b/modules/auxiliary/gather/magento_xxe_cve_2024_34102.rb @@ -154,19 +154,16 @@ def run fail_with(Failure::BadConfig, 'SRVHOST must be set to an IP address (0.0.0.0 is invalid) for exploitation to be successful') end - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end start_service({ 'Uri' => { 'Proc' => proc do |cli, req| on_request_uri(cli, req) end, 'Path' => '/' - } + }, + 'ssl' => false }) - datastore['SSL'] = true if ssl_restore + xxe_request rescue Timeout::Error => e fail_with(Failure::TimeoutExpired, e.message) diff --git a/modules/encoders/php/base64.rb b/modules/encoders/php/base64.rb index 7f0d0188d629..9412a02eed6e 100644 --- a/modules/encoders/php/base64.rb +++ b/modules/encoders/php/base64.rb @@ -71,10 +71,6 @@ def encode_block(state, buf) # raw string, so strip it off. b64.gsub!(/[=\n]+/, '') - # The first character must not be a non-alpha character or PHP chokes. - i = 0 - b64[i] = "chr(#{b64[i]})." while (b64[i].chr =~ %r{[0-9/+]}) - # Similarly, when we separate large payloads into chunks to avoid the # 998-byte problem mentioned above, we have to make sure that the first # character of each chunk is an alpha character. This simple algorithm diff --git a/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb b/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb index 09c6eb47aa79..dcf9edfa5bad 100644 --- a/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb +++ b/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb @@ -122,11 +122,6 @@ def exploit if (datastore['DOWNHOST']) service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri else - #do not use SSL - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end #we use SRVHOST as download IP for the coming wget command. #SRVHOST needs a real IP address of our download host @@ -144,9 +139,10 @@ def exploit on_request_uri(cli, req) }, 'Path' => resource_uri - }}) + }, + 'ssl' => false # do not use SSL + }) - datastore['SSL'] = true if ssl_restore end # diff --git a/modules/exploits/linux/http/dlink_dir615_up_exec.rb b/modules/exploits/linux/http/dlink_dir615_up_exec.rb index d1e6db63151f..a9c210a5d7fb 100644 --- a/modules/exploits/linux/http/dlink_dir615_up_exec.rb +++ b/modules/exploits/linux/http/dlink_dir615_up_exec.rb @@ -155,11 +155,6 @@ def exploit if (datastore['DOWNHOST']) service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri else - #do not use SSL - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") srv_host = Rex::Socket.source_address(rhost) @@ -174,9 +169,10 @@ def exploit on_request_uri(cli, req) }, 'Path' => resource_uri - }}) + }, + 'ssl' => false # do not use SSL + }) - datastore['SSL'] = true if ssl_restore end # diff --git a/modules/exploits/linux/http/dlink_hnap_login_bof.rb b/modules/exploits/linux/http/dlink_hnap_login_bof.rb index 81eed0fb1a4c..ec6881f134e0 100644 --- a/modules/exploits/linux/http/dlink_hnap_login_bof.rb +++ b/modules/exploits/linux/http/dlink_hnap_login_bof.rb @@ -253,12 +253,6 @@ def exploit @elf_sent = false resource_uri = '/' + downfile - #do not use SSL - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end - if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") srv_host = Rex::Socket.source_address(rhost) else @@ -272,9 +266,10 @@ def exploit on_request_uri(cli, req) }, 'Path' => resource_uri - }}) + }, + 'ssl' => false # do not use SSL + }) - datastore['SSL'] = true if ssl_restore print_status("#{peer} - Asking the device to download and execute #{service_url}") filename = rand_text_alpha_lower(rand(8) + 2) diff --git a/modules/exploits/linux/http/linksys_e1500_apply_exec.rb b/modules/exploits/linux/http/linksys_e1500_apply_exec.rb index b06d83c4edf6..09b00c6c7c01 100644 --- a/modules/exploits/linux/http/linksys_e1500_apply_exec.rb +++ b/modules/exploits/linux/http/linksys_e1500_apply_exec.rb @@ -151,11 +151,6 @@ def exploit if (datastore['DOWNHOST']) service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri else - #do not use SSL - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end #we use SRVHOST as download IP for the coming wget command. #SRVHOST needs a real IP address of our download host @@ -172,9 +167,10 @@ def exploit on_request_uri(cli, req) }, 'Path' => resource_uri - }}) + }, + 'ssl' => false # do not use SSL + }) - datastore['SSL'] = true if ssl_restore end # diff --git a/modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb b/modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb index 321ac0b77b41..23dd62260c82 100644 --- a/modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb +++ b/modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb @@ -304,11 +304,6 @@ def exploit if (datastore['DOWNHOST']) service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri else - #do not use SSL - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end #we use SRVHOST as download IP for the coming wget command. #SRVHOST needs a real IP address of our download host @@ -325,9 +320,10 @@ def exploit on_request_uri(cli, req) }, 'Path' => resource_uri - }}) + }, + 'ssl' => false # do not use SSL + }) - datastore['SSL'] = true if ssl_restore end # diff --git a/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb b/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb index f5c8f91650fb..8148b41eacc6 100644 --- a/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb +++ b/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb @@ -155,11 +155,6 @@ def exploit if (datastore['DOWNHOST']) service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri else - #do not use SSL - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end #we use SRVHOST as download IP for the coming wget command. #SRVHOST needs a real IP address of our download host @@ -176,9 +171,10 @@ def exploit on_request_uri(cli, req) }, 'Path' => resource_uri - }}) + }, + 'ssl' => false # do not use SSL + }) - datastore['SSL'] = true if ssl_restore end # diff --git a/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb b/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb index fb25a57294a6..c7b3c4887da5 100644 --- a/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb +++ b/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb @@ -270,11 +270,6 @@ def exploit if (datastore['DOWNHOST']) service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri else - #do not use SSL - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end #we use SRVHOST as download IP for the coming wget command. #SRVHOST needs a real IP address of our download host @@ -291,9 +286,10 @@ def exploit on_request_uri(cli, req) }, 'Path' => resource_uri - }}) + }, + 'ssl' => false # do not use SSL + }) - datastore['SSL'] = true if ssl_restore end # diff --git a/modules/exploits/linux/http/vestacp_exec.rb b/modules/exploits/linux/http/vestacp_exec.rb index 64b89b65defc..b65e2bbd73ff 100644 --- a/modules/exploits/linux/http/vestacp_exec.rb +++ b/modules/exploits/linux/http/vestacp_exec.rb @@ -252,28 +252,19 @@ def on_request_uri(cli, _request) end def start_http_server - # - # HttpClient and HttpServer use same SSL variable :( - # We don't need SSL for payload delivery so we - # will disable it temporarily. - # - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end start_service({ 'Uri' => { 'Proc' => proc do |cli, req| on_request_uri(cli, req) end, 'Path' => resource_uri - } + }, + 'ssl' => false # do not use SSL }) print_status("Second payload download URI is #{get_uri}") # We need to use instance variables since get_uri keeps using # the SSL setting from the datastore. # Once the URI is retrieved, we will restore the SSL settings within the datastore. @second_stage_url = get_uri - datastore['SSL'] = true if ssl_restore end end diff --git a/modules/exploits/linux/smtp/exim4_dovecot_exec.rb b/modules/exploits/linux/smtp/exim4_dovecot_exec.rb index caa972d00e0b..44481fc1baf9 100644 --- a/modules/exploits/linux/smtp/exim4_dovecot_exec.rb +++ b/modules/exploits/linux/smtp/exim4_dovecot_exec.rb @@ -112,12 +112,6 @@ def exploit fail_with(Failure::Unknown, 'The Web Server needs to live on SRVPORT=80') end - #do not use SSL - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end - #we use SRVHOST as download IP for the coming wget command. #SRVHOST needs a real IP address of our download host if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") @@ -134,9 +128,10 @@ def exploit on_request_uri(cli, req) }, 'Path' => resource_uri - }}) + }, + 'ssl' => false # do not use SSL + }) - datastore['SSL'] = true if ssl_restore end diff --git a/modules/exploits/multi/http/bassmaster_js_injection.rb b/modules/exploits/multi/http/bassmaster_js_injection.rb index 2153fee64508..5deadf9eb630 100644 --- a/modules/exploits/multi/http/bassmaster_js_injection.rb +++ b/modules/exploits/multi/http/bassmaster_js_injection.rb @@ -141,12 +141,6 @@ def start_http_server srv_host = datastore['SRVHOST'] end - # do not use SSL for the attacking web server - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end - @service_url = "http:\\x2f\\x2f#{srv_host}:#{datastore['SRVPORT']}#{resource_uri}" service_url_payload = srv_host + resource_uri print_status("#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...") @@ -155,8 +149,10 @@ def start_http_server on_request_uri(cli, req) }, 'Path' => resource_uri - }}) - datastore['SSL'] = true if ssl_restore + }, + 'ssl' => false # do not use SSL + }) + connect end diff --git a/modules/exploits/multi/http/mutiny_subnetmask_exec.rb b/modules/exploits/multi/http/mutiny_subnetmask_exec.rb index 9b7d651cbed5..1d8af0537625 100644 --- a/modules/exploits/multi/http/mutiny_subnetmask_exec.rb +++ b/modules/exploits/multi/http/mutiny_subnetmask_exec.rb @@ -113,11 +113,6 @@ def on_new_session(session) def start_web_service print_status("Setting up the Web Service...") - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end - resource_uri = '/' + @elfname + '.elf' service_url = "http://#{lookup_lhost}:#{datastore['SRVPORT']}#{resource_uri}" @@ -127,8 +122,9 @@ def start_web_service on_request_uri(cli, req) }, 'Path' => resource_uri - }}) - datastore['SSL'] = true if ssl_restore + }, + 'ssl' => false # do not use SSL + }) return service_url end diff --git a/modules/exploits/multi/http/rails_dynamic_render_code_exec.rb b/modules/exploits/multi/http/rails_dynamic_render_code_exec.rb index 18ab694ccfc6..7f17ccc32cb3 100644 --- a/modules/exploits/multi/http/rails_dynamic_render_code_exec.rb +++ b/modules/exploits/multi/http/rails_dynamic_render_code_exec.rb @@ -162,12 +162,6 @@ def start_http_server srv_host = datastore['SRVHOST'] end - # do not use SSL for the attacking web server - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end - @service_url = "http://#{srv_host}:#{datastore['SRVPORT']}#{resource_uri}" service_url_payload = srv_host + resource_uri print_status("#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...") @@ -176,8 +170,10 @@ def start_http_server on_request_uri(cli, req) }, 'Path' => resource_uri - }}) - datastore['SSL'] = true if ssl_restore + }, + 'ssl' => false # do not use SSL + }) + connect end diff --git a/modules/exploits/multi/http/struts_default_action_mapper.rb b/modules/exploits/multi/http/struts_default_action_mapper.rb index e799bd30b6c1..a7cb2ffd4a51 100644 --- a/modules/exploits/multi/http/struts_default_action_mapper.rb +++ b/modules/exploits/multi/http/struts_default_action_mapper.rb @@ -115,14 +115,6 @@ def on_new_session(session) end def start_http_service - # do not use SSL for this part - # XXX: See https://github.com/rapid7/metasploit-framework/issues/3853 - # It must be possible to do this without directly editing the - # datastore. - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") srv_host = Rex::Socket.source_address(rhost) @@ -138,15 +130,10 @@ def start_http_service on_request_uri(cli, req) }, 'Path' => '/' - } + }, + 'ssl' => false # do not use SSL }) - # Restore SSL preference - # XXX: See https://github.com/rapid7/metasploit-framework/issues/3853 - # It must be possible to do this without directly editing the - # datastore. - datastore['SSL'] = true if ssl_restore - return service_url end diff --git a/modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb b/modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb index f3c8f243871a..0f1d432da5f6 100644 --- a/modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb +++ b/modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb @@ -151,12 +151,6 @@ def start_http_server downfile = rand_text_alpha(8+rand(8)) resource_uri = '/' + downfile - # do not use SSL for the attacking web server - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end - if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost) else @@ -172,9 +166,10 @@ def start_http_server on_request_uri(cli, req) }, 'Path' => resource_uri - }}) + }, + 'ssl' => false # do not use SSL + }) - datastore['SSL'] = true if ssl_restore connect end diff --git a/modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb b/modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb index efe0e11421d6..bb200c4d4448 100644 --- a/modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb +++ b/modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb @@ -528,12 +528,6 @@ def exploit @pl = generate_payload_exe end - # do not use SSL for the CAM server! - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end - print_status('Starting up the fake CAM server...') start_service( { @@ -542,10 +536,10 @@ def exploit on_request_uri(cli, req) end, 'Path' => '/' - } + }, + 'ssl' => false # do not use SSL } ) - datastore['SSL'] = true if ssl_restore # Step 4: send the server config update packet, and ignore what it sends back print_status('Changing authentication method to 4 (CAM auth)') diff --git a/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb b/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb index 77b9c4ec6bad..ea0634787de2 100644 --- a/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb +++ b/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb @@ -215,11 +215,6 @@ def exploit_linux if (datastore['DOWNHOST']) service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri else - #do not use SSL - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end #we use SRVHOST as download IP for the coming wget command. #SRVHOST needs a real IP address of our download host @@ -236,9 +231,10 @@ def exploit_linux on_request_uri(cli, req) }, 'Path' => resource_uri - }}) + }, + 'ssl' => false # do not use SSL + }) - datastore['SSL'] = true if ssl_restore end # diff --git a/modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb b/modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb index e008f834e6cb..f36da810c058 100644 --- a/modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb +++ b/modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb @@ -417,22 +417,15 @@ def upload_payload(payload, queue) end def serve_http_file(path, respond_with = '') - # do not use SSL for the attacking web server - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end - start_service({ 'Uri' => { 'Proc' => proc do |cli, _req| send_response(cli, respond_with) end, 'Path' => path - } + }, + 'ssl' => false # do not use SSL }) - - datastore['SSL'] = true if ssl_restore end def create_json_request(xml_payload) diff --git a/modules/exploits/windows/local/bypassuac_comhijack.rb b/modules/exploits/windows/local/bypassuac_comhijack.rb index b0c1e26862cd..4ba360c7d572 100644 --- a/modules/exploits/windows/local/bypassuac_comhijack.rb +++ b/modules/exploits/windows/local/bypassuac_comhijack.rb @@ -43,6 +43,7 @@ def initialize(info = {}) 'OJ Reeves' # MSF module ], 'Platform' => ['win'], + 'Arch' => [ ARCH_X86, ARCH_X64 ], 'SessionTypes' => ['meterpreter'], 'Targets' => [ ['Automatic', {}]