Land #17619, Run rubocop on exploit modules

.rubocop.yml

@@ -366,6 +366,191 @@ Naming/MethodParameterName:
   Description: 'Whoever made this requirement never looked at crypto methods, IV'
   MinNameLength: 2
 
+Naming/PredicateName:
+  Enabled: true
+  # Current methods that break the rule, so that we don't add additional methods that break the convention
+  AllowedMethods:
+    - has_additional_info?
+    - has_advanced_options?
+    - has_auth
+    - has_auto_target?
+    - has_bad_activex?
+    - has_badchars?
+    - has_chars?
+    - has_check?
+    - has_command?
+    - has_content_type_extension?
+    - has_datastore_cred?
+    - has_evasion_options?
+    - has_fatal_errors?
+    - has_fields
+    - has_files?
+    - has_flag?
+    - has_function_name?
+    - has_gcc?
+    - has_h2_headings
+    - has_input_name?
+    - has_j_security_check?
+    - has_key?
+    - has_match?
+    - has_module
+    - has_object_ref
+    - has_objects_list
+    - has_options?
+    - has_page?
+    - has_passphrase?
+    - has_pid?
+    - has_pkt_line_data?
+    - has_prereqs?
+    - has_privacy_waiver?
+    - has_privates?
+    - has_protected_mode_prompt?
+    - has_proxy?
+    - has_read_data?
+    - has_ref?
+    - has_required_args
+    - has_required_module_options?
+    - has_requirements
+    - has_rop?
+    - has_s_flag?
+    - has_service_cred?
+    - has_subscriber?
+    - has_subtree?
+    - has_text
+    - has_tlv?
+    - has_u_flag?
+    - has_users?
+    - has_vuln?
+    - has_waiver?
+    - have_auth_error?
+    - have_powershell?
+    - is_accessible?
+    - is_admin?
+    - is_alive?
+    - is_alpha_web_server?
+    - is_android?
+    - is_app_binom3?
+    - is_app_carlogavazzi?
+    - is_app_cnpilot?
+    - is_app_epaduo?
+    - is_app_epmp1000?
+    - is_app_infovista?
+    - is_app_ironport?
+    - is_app_metweblog?
+    - is_app_oilom?
+    - is_app_openmind?
+    - is_app_popad?
+    - is_app_radware?
+    - is_app_rfreader?
+    - is_app_sentry?
+    - is_app_sevone?
+    - is_app_splunk?
+    - is_app_ssl_vpn?
+    - is_array_type?
+    - is_auth_required?
+    - is_author_blacklisted?
+    - is_badchar
+    - is_base64?
+    - is_bind?
+    - is_cached_size_accurate?
+    - is_cgi_enabled?
+    - is_cgi_exploitable?
+    - is_check_interesting?
+    - is_child_of?
+    - is_clr_enabled
+    - is_connect?
+    - is_dlink?
+    - is_dn?
+    - is_dynamic?
+    - is_error_code
+    - is_exception?
+    - is_exploit_module?
+    - is_exploitable?
+    - is_fqdn?
+    - is_glob?
+    - is_groupwise?
+    - is_guest_mode_enabled?
+    - is_hash_from_empty_pwd?
+    - is_high_integrity?
+    - is_hostname?
+    - is_ie?
+    - is_imc?
+    - is_imc_som?
+    - is_in_admin_group?
+    - is_interface?
+    - is_ip_targeted?
+    - is_key_wanted?
+    - is_leaf?
+    - is_local?
+    - is_logged_in?
+    - is_loggedin
+    - is_loopback_address?
+    - is_mac?
+    - is_match
+    - is_md5_format?
+    - is_module_arch?
+    - is_module_platform?
+    - is_module_wanted?
+    - is_multi_platform_exploit?
+    - is_not_null?
+    - is_null_pointer
+    - is_null_pointer?
+    - is_num?
+    - is_num_type?
+    - is_numeric
+    - is_online?
+    - is_parseable
+    - is_pass_ntlm_hash?
+    - is_passwd_method?
+    - is_password_required?
+    - is_payload_compatible?
+    - is_payload_platform_compatible?
+    - is_pointer_type?
+    - is_pri_key?
+    - is_proficy?
+    - is_rdp_up
+    - is_remote_exploit?
+    - is_resource_taken?
+    - is_rf?
+    - is_rmi?
+    - is_root?
+    - is_routable?
+    - is_running?
+    - is_scan_complete
+    - is_secure_admin_disabled?
+    - is_session_type?
+    - is_signature_correct?
+    - is_single_object?
+    - is_struct_type?
+    - is_supermicro?
+    - is_superuser?
+    - is_sws?
+    - is_system?
+    - is_system_user?
+    - is_target?
+    - is_target_suitable?
+    - is_trial_enabled?
+    - is_trustworthy
+    - is_uac_enabled?
+    - is_url_alive
+    - is_usable?
+    - is_uuid?
+    - is_valid?
+    - is_valid_bus?
+    - is_valid_snmp_value
+    - is_value_wanted?
+    - is_version_compat?
+    - is_version_tested?
+    - is_vmware?
+    - is_vul
+    - is_vulnerable?
+    - is_warbird?
+    - is_windows?
+    - is_writable
+    - is_writable?
+    - is_x86?
+    - is_zigbee_hwbridge_session?
+
 # %q() is super useful for long strings split over multiple lines and
 # is very common in module constructors for things like descriptions
 Style/RedundantPercentQ:

modules/exploits/linux/http/axis_app_install.rb

@@ -48,8 +48,7 @@ def initialize(info = {})
               'Platform' => 'linux',
               'Arch' => [ARCH_ARMLE],
               'Type' => :linux_dropper,
-              'Payload' => {
-              },
+              'Payload' => {},
               'DefaultOptions' => {
                 'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp' # Use stagless payloads until issue 16107 gets addressed to fix the ARMLE stager
               }

modules/exploits/linux/http/ibm_drm_rce.rb

@@ -55,6 +55,11 @@ def initialize(info = {})
               stdapi_fs_delete_file
             ]
           }
+        },
+        'Notes' => {
+          'Stability' => [ CRASH_SAFE ],
+          'Reliability' => [ REPEATABLE_SESSION ],
+          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]
         }
       )
     )
@@ -154,7 +159,7 @@ def free_the_admin(session_id)
       'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
     })
 
-    unless res && (res.code == 200) && res.body[/"data":"([0-9a-f\-]{36})/]
+    unless res && (res.code == 200) && res.body[/"data":"([0-9a-f-]{36})/]
       fail_with(Failure::Unknown, "#{peer} - Failed to obtain the admin password.")
     end
 
@@ -189,7 +194,7 @@ def login_and_csrf(password)
       'cookie' => cookie
     })
 
-    unless res && (res.code == 200) && res.body =~ /var csrfToken = "([0-9a-f\-]{36})";/
+    unless res && (res.code == 200) && res.body =~ /var csrfToken = "([0-9a-f-]{36})";/
       fail_with(Failure::Unknown, "#{peer} - Failed to authenticate obtain CSRF cookie.")
     end
     csrf = Regexp.last_match(1)
@@ -269,7 +274,7 @@ def obtain_bearer_token(password)
       'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
     })
 
-    unless res && (res.code == 200) && res.body =~ /"data":\{"access_token":"([0-9a-f\-]{36})","token_type":"bearer"/
+    unless res && (res.code == 200) && res.body =~ /"data":\{"access_token":"([0-9a-f-]{36})","token_type":"bearer"/
       fail_with(Failure::Unknown, "#{peer} - Failed to obtain Bearer token.")
     end
 

modules/exploits/linux/http/linuxki_rce.rb

@@ -14,69 +14,74 @@ class MetasploitModule < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(
-        update_info(
-          info,
-          'Name' => 'LinuxKI Toolset 6.01 Remote Command Execution',
-          'Description' => %q{
-            This module exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution.
-            The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability.
-          },
-          'License' => MSF_LICENSE,
-          'Author' => [
-            'Cody Winkler', # discovery and poc
-            'numan türle' # msf exploit
+      update_info(
+        info,
+        'Name' => 'LinuxKI Toolset 6.01 Remote Command Execution',
+        'Description' => %q{
+          This module exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution.
+          The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Cody Winkler', # discovery and poc
+          'numan türle' # msf exploit
+        ],
+        'References' => [
+          ['EDB', '48483'],
+          ['CVE', '2020-7209'],
+          ['PACKETSTORM', '157739'],
+          ['URL', 'https://github.com/HewlettPackard/LinuxKI/commit/10bef483d92a85a13a59ca65a288818e92f80d78']
+        ],
+        'Privileged' => false,
+        'Platform' => ['php', 'unix', 'linux'],
+        'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X86, ARCH_X64],
+        'Targets' => [
+          [
+            'Automatic (PHP In-Memory)',
+            {
+              'Platform' => 'php',
+              'Arch' => ARCH_PHP,
+              'Type' => :php_memory,
+              'Payload' => { 'BadChars' => "'" },
+              'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }
+            }
           ],
-          'References' => [
-            ['EDB', '48483'],
-            ['CVE', '2020-7209'],
-            ['PACKETSTORM', '157739'],
-            ['URL', 'https://github.com/HewlettPackard/LinuxKI/commit/10bef483d92a85a13a59ca65a288818e92f80d78']
+          [
+            'Automatic (PHP Dropper)',
+            {
+              'Platform' => 'php',
+              'Arch' => ARCH_PHP,
+              'Type' => :php_dropper,
+              'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }
+            }
           ],
-          'Privileged' => false,
-          'Platform' => ['php', 'unix', 'linux'],
-          'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X86, ARCH_X64],
-          'Targets' => [
-            [
-              'Automatic (PHP In-Memory)',
-              {
-                'Platform' => 'php',
-                'Arch' => ARCH_PHP,
-                'Type' => :php_memory,
-                'Payload' => { 'BadChars' => "'" },
-                'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }
-              }
-            ],
-            [
-              'Automatic (PHP Dropper)',
-              {
-                'Platform' => 'php',
-                'Arch' => ARCH_PHP,
-                'Type' => :php_dropper,
-                'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }
-              }
-            ],
-            [
-              'Automatic (Unix In-Memory)',
-              {
-                'Platform' => 'unix',
-                'Arch' => ARCH_CMD,
-                'Type' => :unix_memory,
-                'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }
-              }
-            ],
-            [
-              'Automatic (Linux Dropper)',
-              {
-                'Platform' => 'linux',
-                'Arch' => [ARCH_X86, ARCH_X64],
-                'Type' => :linux_dropper,
-                'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' }
-              }
-            ]
+          [
+            'Automatic (Unix In-Memory)',
+            {
+              'Platform' => 'unix',
+              'Arch' => ARCH_CMD,
+              'Type' => :unix_memory,
+              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }
+            }
           ],
-          'DisclosureDate' => '2020-05-17',
-          'DefaultTarget' => 0
-        )
+          [
+            'Automatic (Linux Dropper)',
+            {
+              'Platform' => 'linux',
+              'Arch' => [ARCH_X86, ARCH_X64],
+              'Type' => :linux_dropper,
+              'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' }
+            }
+          ]
+        ],
+        'DisclosureDate' => '2020-05-17',
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'Stability' => [ CRASH_SAFE ],
+          'Reliability' => [ REPEATABLE_SESSION ],
+          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]
+        }
+      )
     )
 
     register_options([

modules/exploits/linux/http/pandora_fms_events_exec.rb

@@ -77,7 +77,12 @@ def initialize(info = {})
         ],
         'Privileged' => false,
         'DisclosureDate' => '2020-06-04',
-        'DefaultTarget' => 1
+        'DefaultTarget' => 1,
+        'Notes' => {
+          'Stability' => [ CRASH_SAFE ],
+          'Reliability' => [ REPEATABLE_SESSION ],
+          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]
+        }
       )
     )
     register_options [
@@ -109,7 +114,7 @@ def check
 
     full_version = full_version.text
 
-    version = full_version[1..-1].sub('NG', '')
+    version = full_version[1..].sub('NG', '')
 
     if version.blank?
       return CheckCode::Detected('Could not determine the Pandora FMS version.')