Use more correct check codes

jhart-r7 · jhart-r7 · commit 1f6defda7342 · 2015-01-14T13:10:35.000-08:00
diff --git a/modules/auxiliary/scanner/http/allegro_rompager_misfortune_cookie.rb b/modules/auxiliary/scanner/http/allegro_rompager_misfortune_cookie.rb
@@ -51,22 +51,26 @@ def check_host(_ip)
   end
 
   def run_host(ip)
-    case check_host(ip)
+    status = check_host(ip)
+    case status
     when Exploit::CheckCode::Appears
-      print_good("#{peer} is vulnerable")
     when Exploit::CheckCode::Detected
-      print_good("#{peer} uses a vulnerable version")
+    when Exploit::CheckCode::Vulnerable
+      print_good("#{peer} #{status.last}")
     else
       vprint_status("#{peer} is not vulnerable")
     end
   end
 
+  # Fingerprints the provided HTTP response and returns
+  # Exploit::CheckCode::Appears if it is a vulnerable version of RomPager,
+  # otherwise returns the provided fall-back status.
   def check_response_fingerprint(res, fallback_status)
     fp = http_fingerprint(response: res)
     if /RomPager\/(?<version>[\d\.]+)/ =~ fp
       vprint_status("#{peer} is RomPager #{version}")
       if Gem::Version.new(version) < Gem::Version.new('4.34')
-        return Exploit::CheckCode::Detected
+        return Exploit::CheckCode::Appears
       end
     end
     fallback_status
@@ -84,7 +88,7 @@ def find_canary
       # in most cases, the canary URI will not exist and will return a 404, but
       # if everything under TARGETURI is protected by auth, that may be fine
       # too
-      return canary if res.code == 401 || res.code == 404
+      return canary if res && (res.code == 401 || res.code == 404)
     end
     nil
   end
@@ -127,27 +131,27 @@ def test_misfortune
 
     unless res.code == 404
       vprint_status("#{full_uri} unexpected HTTP code #{res.code} response")
-      return check_response_fingerprint(res, Exploit::CheckCode::Unknown)
+      return check_response_fingerprint(res, Exploit::CheckCode::Detected)
     end
 
     unless res.body
       vprint_status("#{full_uri} HTTP code #{res.code} had no body")
-      return check_response_fingerprint(res, Exploit::CheckCode::Unknown)
+      return check_response_fingerprint(res, Exploit::CheckCode::Detected)
     end
 
     # If that canary *value* shows up in the *body*, then there are two possibilities:
     #
     # 1) If the canary cookie *name* is also in the *body*, it is likely that
     # the endpoint is puppeting back our request to some extent and therefore
     # it is expected that the canary cookie *value* would also be there.
-    # return Exploit::CheckCode::Unknown
+    # return Exploit::CheckCode::Detected
     #
     # 2) If the canary cookie *name* is *not* in the *body*, return
-    # Exploit::CheckCode::Appears
+    # Exploit::CheckCode::Vulnerable
     if res.body.include?(canary_value)
       if res.body.include?(canary_cookie_name)
         vprint_status("#{full_uri} HTTP code #{res.code} response contained test cookie name #{canary_cookie_name}")
-        return check_response_fingerprint(res, Exploit::CheckCode::Unknown)
+        return check_response_fingerprint(res, Exploit::CheckCode::Detected)
       else
         vprint_good("#{full_uri} HTTP code #{res.code} response contained canary cookie value #{canary_value} as URI")
         report_vuln(
@@ -156,7 +160,7 @@ def test_misfortune
           name: name,
           refs: references
         )
-        return Exploit::CheckCode::Appears
+        return Exploit::CheckCode::Vulnerable
       end
     end
 
