From ccd8c71ec6ad19d5cb807f53ad5f83a118bb902f Mon Sep 17 00:00:00 2001
From: sfewer-r7 <stephen_fewer@rapid7.com>
Date: Wed, 4 Oct 2023 09:38:42 +0100
Subject: [PATCH] change the payload space to 5000. This allows all the
 payloads I tested to work but also allows all the 3 gadget chains I tested to
 work. ClaimsPrincipal and TypeConfuseDelegate will fail if the space is too
 large.

---
 modules/exploits/windows/http/ws_ftp_rce_cve_2023_40044.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/windows/http/ws_ftp_rce_cve_2023_40044.rb b/modules/exploits/windows/http/ws_ftp_rce_cve_2023_40044.rb
index 235c1eea49b3..d7b576af6785 100644
--- a/modules/exploits/windows/http/ws_ftp_rce_cve_2023_40044.rb
+++ b/modules/exploits/windows/http/ws_ftp_rce_cve_2023_40044.rb
@@ -33,7 +33,11 @@ def initialize(info = {})
         'DisclosureDate' => '2023-09-27',
         'Platform' => %w[win],
         'Arch' => [ARCH_CMD],
-        'Payload' => { 'Space' => 8192 },
+        # 5000 will allow the powershell payloads to work as they require ~4200 bytes. Notably, the ClaimsPrincipal and
+        # TypeConfuseDelegate (but not TextFormattingRunProperties) gadget chains will fail if Space is too large (e.g.
+        # 8192 bytes), as the encoded payload command is padded with leading whitespace characters (0x20) to consume
+        # all the available payload space via ./modules/nops/cmd/generic.rb).
+        'Payload' => { 'Space' => 5000 },
         'Privileged' => false, # Code execution as `NT AUTHORITY\NETWORK SERVICE`.
         'Targets' => [
           [