Land #11769, make sure Notes fields show up in `info`

2019-04-24 13:01:07 -05:00 · 2019-04-24 13:01:07 -05:00 · 470255cb2b
parent e7f82610d3 ce39b929b2
commit 470255cb2b
6 changed files with 109 additions and 79 deletions
--- a/lib/msf/base/serializer/readable_text.rb
+++ b/lib/msf/base/serializer/readable_text.rb
@ -286,8 +286,8 @@ class ReadableText
    # References
    output << dump_references(mod, indent)

-    # AKA
-    output << dump_aka(mod, indent)
+    # Notes
+    output << dump_notes(mod, indent)

    return output

@ -341,8 +341,8 @@ class ReadableText
    # References
    output << dump_references(mod, indent)

-    # AKA
-    output << dump_aka(mod, indent)
+    # Notes
+    output << dump_notes(mod, indent)

    return output
  end
@ -401,8 +401,8 @@ class ReadableText
    # References
    output << dump_references(mod, indent)

-    # AKA
-    output << dump_aka(mod, indent)
+    # Notes
+    output << dump_notes(mod, indent)

    return output
  end
@ -668,19 +668,42 @@ class ReadableText
    output
  end

-  # Dumps the aka names associated with the supplied module.
+  # Dumps the notes associated with the supplied module.
  #
  # @param mod [Msf::Module] the module.
  # @param indent [String] the indentation to use.
  # @return [String] the string form of the information.
-  def self.dump_aka(mod, indent = '')
+  def self.dump_notes(mod, indent = '')
    output = ''

-    if mod.notes['AKA'].present?
-      output << "AKA:\n"
+    mod.notes.each do |name, val|
+      next unless val.present?

-      mod.notes['AKA'].each do |aka_name|
-        output << indent + aka_name + "\n"
+      case name
+      when 'AKA'
+        output << "Also known as:\n"
+        val.each { |aka| output << "#{indent}#{aka}\n" }
+      when 'NOCVE'
+        output << "CVE not available:\n" \
+                  "#{indent}#{val}\n"
+      when 'RelatedModules'
+        output << "Related modules:\n"
+        val.each { |related| output << "#{indent}#{related}\n" }
+      when 'Stability', 'SideEffects', 'Reliability'
+        # Handled by dump_traits
+        next
+      else
+        output << "#{name}:\n"
+
+        case val
+        when Array
+          val.each { |v| output << "#{indent}#{v}\n" }
+        when Hash
+          val.each { |k, v| output << "#{indent}#{k}: #{v}\n" }
+        else
+          # Display the raw note
+          output << "#{indent}#{val}\n"
+        end
      end

      output << "\n"
--- a/modules/exploits/linux/upnp/belkin_wemo_upnp_exec.rb
+++ b/modules/exploits/linux/upnp/belkin_wemo_upnp_exec.rb
@ -59,10 +59,10 @@ class MetasploitModule < Msf::Exploit::Remote
      ],
      'DefaultTarget'      => 1,
      'Notes'              => {
+        'NOCVE'            => 'Patched in 2.00.8643 without vendor disclosure',
        'Stability'        => [CRASH_SAFE],
        'SideEffects'      => [ARTIFACTS_ON_DISK],
-        'Reliablity'       => [REPEATABLE_SESSION],
-        'NOCVE'            => 'Patched in 2.00.8643'
+        'Reliability'      => [REPEATABLE_SESSION]
      }
    ))

--- a/modules/exploits/multi/fileformat/ghostscript_failed_restore.rb
+++ b/modules/exploits/multi/fileformat/ghostscript_failed_restore.rb
@ -22,12 +22,7 @@ class MetasploitModule < Msf::Exploit
        arbitrary commands by handling a failed restore (grestore) in
        PostScript to disable LockSafetyParams and avoid invalidaccess.

-        This vulnerability is reachable via libraries such as ImageMagick,
-        and this module provides the latest vector for Ghostscript.
-
-        For previous Ghostscript vectors, please see the following modules:
-          exploit/unix/fileformat/ghostscript_type_confusion
-          exploit/unix/fileformat/imagemagick_delegate
+        This vulnerability is reachable via libraries such as ImageMagick.
      },
      'Author'            => [
        'Tavis Ormandy', # Vuln discovery and exploit
@ -48,7 +43,10 @@ class MetasploitModule < Msf::Exploit
          'Platform'      => 'unix',
          'Arch'          => ARCH_CMD,
          'Type'          => :unix_memory,
-          'Payload'    => {'Space' => 4089, 'DisableNops' => true} # 4096 total
+          'Payload'       => {
+            'Space'       => 4089, # 4096 total
+            'DisableNops' => true
+          }
        ],
        ['PowerShell (In-Memory)',
          'Platform'      => 'win',
@ -61,7 +59,13 @@ class MetasploitModule < Msf::Exploit
          'Type'          => :linux_dropper
        ]
      ],
-      'DefaultTarget'  => 0
+      'DefaultTarget'     => 0,
+      'Notes'             => {
+        'RelatedModules'  => [
+          'exploit/unix/fileformat/ghostscript_type_confusion',
+          'exploit/unix/fileformat/imagemagick_delegate'
+        ]
+      }
    ))

    register_options([
--- a/modules/exploits/unix/fileformat/ghostscript_type_confusion.rb
+++ b/modules/exploits/unix/fileformat/ghostscript_type_confusion.rb
@ -16,9 +16,6 @@ class MetasploitModule < Msf::Exploit
        be exploited to obtain arbitrary command execution. This vulnerability affects
        Ghostscript versions 9.21 and earlier and can be exploited through libraries
        such as ImageMagick and Pillow.
-
-        For more recent Ghostscript vectors, please see the following modules:
-          exploit/multi/fileformat/ghostscript_failed_restore
      },
      'Author'           => [
        'Atlassian Security Team', # Vulnerability discovery
@ -44,7 +41,11 @@ class MetasploitModule < Msf::Exploit
      ],
      'DefaultTarget'    => 0,
      'Notes'            => {
-        'AKA'          => [ 'ghostbutt' ]
+        'AKA'            => ['ghostbutt'],
+        'RelatedModules' => [
+          'exploit/multi/fileformat/ghostscript_failed_restore',
+          'exploit/unix/fileformat/imagemagick_delegate'
+        ]
      }
    ))

--- a/modules/exploits/unix/fileformat/imagemagick_delegate.rb
+++ b/modules/exploits/unix/fileformat/imagemagick_delegate.rb
@ -25,10 +25,6 @@ class MetasploitModule < Msf::Exploit
        Ghostscript versions 9.18 and later are affected. This target is
        provided as is and will not be updated to track additional vulns.

-        For more recent Ghostscript vectors, please see the following modules:
-          exploit/multi/fileformat/ghostscript_failed_restore
-          exploit/unix/fileformat/ghostscript_type_confusion
-
        If USE_POPEN is set to true, a |-prefixed command will be used for the
        exploit. No delegates are involved in this exploitation.
      },
@ -63,7 +59,13 @@ class MetasploitModule < Msf::Exploit
        ['PS file',  template: 'msf.ps']   # PoC from taviso
      ],
      'DefaultTarget'    => 0,
-      'Notes'          => {'AKA' => ['ImageTragick']}
+      'Notes'            => {
+        'AKA'            => ['ImageTragick'],
+        'RelatedModules' => [
+          'exploit/unix/fileformat/ghostscript_type_confusion',
+          'exploit/multi/fileformat/ghostscript_failed_restore'
+        ]
+      }
    ))

    register_options([
--- a/modules/exploits/unix/webapp/drupal_restws_unserialize.rb
+++ b/modules/exploits/unix/webapp/drupal_restws_unserialize.rb
@ -67,10 +67,10 @@ class MetasploitModule < Msf::Exploit::Remote
      ],
      'DefaultTarget'      => 0,
      'Notes'              => {
+        'AKA'              => ['SA-CORE-2019-003'],
        'Stability'        => [CRASH_SAFE],
        'SideEffects'      => [IOC_IN_LOGS],
-        'Reliablity'       => [UNRELIABLE_SESSION], # When using the GET method
-        'AKA'              => ['SA-CORE-2019-003']
+        'Reliability'      => [UNRELIABLE_SESSION] # When using the GET method
      }
    ))