From cb74d3b05b045d48d901703e98690f4748a8cf8d Mon Sep 17 00:00:00 2001
From: Justin Steven <justin@justinsteven.com>
Date: Tue, 7 Feb 2017 23:41:59 +1000
Subject: [PATCH] Fix CVE-2017-5231 and respect user's dest

---
 .../post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb
index b76dda80cf..4fdd0e0a23 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb
@@ -442,7 +442,7 @@ class Console::CommandDispatcher::Stdapi::Fs
           files.each do |file|
             src_separator = client.fs.file.separator
             src_path = file['path'] + client.fs.file.separator + file['name']
-            dest_path = src_path.tr(src_separator, ::File::SEPARATOR)
+            dest_path = ::File.join(dest, ::Rex::FileUtils::clean_path(file['path'].tr(src_separator, ::File::SEPARATOR)))
 
             client.fs.file.download(dest_path, src_path, opts) do |step, src, dst|
               print_status("#{step.ljust(11)}: #{src} -> #{dst}")