First little bit at Bug 8498

[FixRM rapid7#8489] rhost/rport modification

Author: wchen-r7

lib/msf/core/exploit/ftp.rb

@@ -43,7 +43,7 @@ def initialize(info = {})
 
   #
   # This method establishes an FTP connection to host and port specified by
-  # the RHOST and RPORT options, respectively.  After connecting, the banner
+  # the 'rhost' and 'rport' methods. After connecting, the banner
   # message is read in and stored in the 'banner' attribute.
   #
   def connect(global = true, verbose = nil)

lib/msf/core/exploit/http/client.rb

@@ -164,7 +164,7 @@ def connect(opts={})
 
     # Configure the HTTP client with the supplied parameter
     nclient.set_config(
-      'vhost' => opts['vhost'] || self.vhost(),
+      'vhost' => opts['vhost'] || opts['rhost'] || self.vhost(),
       'agent' => datastore['UserAgent'],
       'uri_encode_mode'        => datastore['HTTP::uri_encode_mode'],
       'uri_full_url'           => datastore['HTTP::uri_full_url'],

modules/auxiliary/admin/misc/wol.rb

@@ -36,14 +36,6 @@ def initialize(info = {})
     deregister_options('RHOST', 'RPORT')
   end
 
-  #
-  # Restore the original rhost:rport
-  #
-  def cleanup
-    datastore['RHOST'] = @last_rhost
-    datastore['RPORT'] = @last_rport
-  end
-
   #
   # Convert the MAC option to binary format
   #
@@ -85,6 +77,14 @@ def parse_password
     nil
   end
 
+  def wol_rhost
+    datastore['IPV6'] ? "ff:ff:ff:ff:ff:ff" : "255.255.255.255"
+  end
+
+  def wol_rport
+    9
+  end
+
   def run
     # If the MAC is bad, no point to continue
     mac = get_mac_addr
@@ -94,23 +94,17 @@ def run
     pass = parse_password
     return if pass.nil?
 
-    # Save the original rhost:rport settings so we can restore them
-    # later once the module is done running
-    @last_rhost = rhost
-    @last_rport = rport
-
-    # Config to broadcast
-    datastore['RHOST'] = datastore['IPV6'] ? "ff:ff:ff:ff:ff:ff" : "255.255.255.255"
-    datastore['RPORT'] = 9
-
     # Craft the WOL packet
     wol_pkt = "\xff" * 6  #Sync stream (magic packet)
     wol_pkt << mac  * 16  #Mac address
     wol_pkt << pass if not pass.empty?
 
     # Send out the packet
     print_status("Sending WOL packet...")
-    connect_udp
+    connect_udp( true, {
+      'RHOST' => wol_rhost,
+      'RPORT' => wol_rport
+    })
     udp_sock.put(wol_pkt)
     disconnect_udp
   end

modules/auxiliary/gather/corpwatch_lookup_id.rb

@@ -28,7 +28,7 @@ def initialize(info = {})
     register_options(
       [
         OptString.new('CW_ID', [ true, "The CorpWatch ID of the company", ""]),
-        OptInt.new('YEAR', [ false, "Year to look up"]),
+        OptInt.new('YEAR', [ false, "Year to look up", Time.now.year-1]),
         OptBool.new('GET_LOCATIONS', [ false, "Get locations for company", true]),
         OptBool.new('GET_NAMES', [ false, "Get all registered names ofr the company", true]),
         OptBool.new('GET_FILINGS', [ false, "Get all filings", false ]),
@@ -40,26 +40,24 @@ def initialize(info = {})
     deregister_options('RHOST', 'RPORT', 'VHOST', 'Proxies')
   end
 
-  def cleanup
-    datastore['RHOST'] = @old_rhost
-    datastore['RPORT'] = @old_rport
+  def rhost_corpwatch
+    'api.corpwatch.org'
   end
 
-  def run
-    # Save the original rhost/rport in case the user was exploiting something else
-    @old_rhost = datastore['RHOST']
-    @old_rport = datastore['RPORT']
+  def rport_corpwatch
+    80
+  end
 
-    # Initial api.corpwatch.org's rhost and rport for HttpClient
-    datastore['RHOST'] = 'api.corpwatch.org'
-    datastore['RPORT'] = 80
+  def run
 
     loot = ""
     uri = "/"
     uri << (datastore['YEAR']).to_s if datastore['YEAR'].to_s != ""
     uri << ("/companies/" + datastore['CW_ID'])
 
     res = send_request_cgi({
+      'rhost'    => rhost_corpwatch,
+      'rport'    => rport_corpwatch,
       'uri'      => uri + ".xml",
       'method'   => 'GET'
     }, 25)
@@ -85,7 +83,7 @@ def run
 
     elements = root.get_elements("result")
 
-    if elements == nil || elements.length == 0
+    if elements.blank? || elements.length == 0
       print_error("No results returned")
       return
     end
@@ -157,6 +155,8 @@ def run
 
       res = send_request_cgi(
       {
+        'rhost'   => rhost_corpwatch,
+        'rport'   => rport_corpwatch,
         'uri'     => uri + "/locations.xml",
         'method'  => 'GET'
       }, 25)
@@ -227,6 +227,8 @@ def run
 
       res = send_request_cgi(
       {
+        'rhost'   => rhost_corpwatch,
+        'rport'   => rport_corpwatch,
         'uri'     => uri + "/names.xml",
         'method'  => 'GET'
       }, 25)
@@ -287,6 +289,8 @@ def run
 
       res = send_request_cgi(
       {
+        'rhost'   => rhost_corpwatch,
+        'rport'   => rport_corpwatch,
         'uri'     => uri + "/filings.xml",
         'method'  => 'GET'
       }, 25)
@@ -365,6 +369,8 @@ def run
 
       res = send_request_cgi(
       {
+        'rhost'   => rhost_corpwatch,
+        'rport'   => rport_corpwatch,
         'uri'      => child_uri,
         'method'   => 'GET'
       }, 25)
@@ -444,6 +450,8 @@ def run
     if datastore['GET_HISTORY']
 
       res = send_request_cgi({
+        'rhost'   => rhost_corpwatch,
+        'rport'   => rport_corpwatch,
         'uri'     => uri + "/history.xml",
         'method'  => 'GET'
       }, 25)

modules/auxiliary/gather/corpwatch_lookup_name.rb

@@ -31,34 +31,32 @@ def initialize(info = {})
     register_options(
       [
         OptString.new('COMPANY_NAME', [ true, "Search for companies with this name", ""]),
-        OptInt.new('YEAR', [ false, "Limit results to a specific year"]),
+        OptInt.new('YEAR', [ false, "Year to look up", Time.now.year-1]),
         OptString.new('LIMIT', [ true, "Limit the number of results returned", "5"]),
         OptString.new('CORPWATCH_APIKEY', [ false, "Use this API key when getting the data", ""]),
       ], self.class)
 
     deregister_options('RHOST', 'RPORT', 'Proxies', 'VHOST')
   end
 
-  def cleanup
-    datastore['RHOST'] = @old_rhost
-    datastore['RPORT'] = @old_rport
+  def rhost_corpwatch
+    'api.corpwatch.org'
   end
 
-  def run
-    # Save the original rhost/rport in case the user was exploiting something else
-    @old_rhost = datastore['RHOST']
-    @old_rport = datastore['RPORT']
+  def rport_corpwatch
+    80
+  end
 
-    # Initial api.corpwatch.org's rhost and rport for HttpClient
-    datastore['RHOST'] = 'api.corpwatch.org'
-    datastore['RPORT'] = 80
+  def run
 
     uri = "/"
     uri << (datastore['YEAR'].to_s + "/") if datastore['YEAR'].to_s != ""
     uri << "companies.xml"
 
     res = send_request_cgi(
     {
+      'rhost'    => rhost_corpwatch,
+      'rport'    => rport_corpwatch,
       'uri'      => uri,
       'method'   => 'GET',
       'vars_get' =>
@@ -104,7 +102,7 @@ def run
 
     elements = results.get_elements("companies")
 
-    if not elements
+    if elements.blank?
       print_error("No companies returned")
       return
     end

modules/auxiliary/gather/shodan_search.rb

@@ -60,6 +60,9 @@ def shodan_query(query, apikey, page)
     uri = "/api/search?&q=" + Rex::Text.uri_encode(query) + "&key=" + apikey + "&page=" + page.to_s
     res = send_request_raw(
       {
+        'rhost'    => shodan_rhost,
+        'rport'    => shodan_rport,
+        'vhost'    => vhost,
         'method'   => 'GET',
         'uri'      => uri
     }, 25)
@@ -80,29 +83,26 @@ def save_output(data)
     print_status("Save results in #{datastore['OUTFILE']}")
   end
 
-  def cleanup
-    datastore['RHOST'] = @old_rhost
-    datastore['RPORT'] = @old_rport
+  def shodan_rhost
+    @res = Net::DNS::Resolver.new()
+    dns_query = @res.query("#{datastore['VHOST']}", "A")
+    if dns_query.answer.length == 0
+      print_error("Could not resolve #{datastore['VHOST']}")
+      raise ::Rex::ConnectError(vhost, shodan_port)
+    end
+    dns_query.answer[0].to_s.split(/[\s,]+/)[4]
+  end
+
+  def shodan_rport
+    80
   end
 
   def run
+
     # create our Shodan request parameters
     query = datastore['QUERY']
     apikey = datastore['SHODAN_APIKEY']
 
-    @res = Net::DNS::Resolver.new()
-    dns_query = @res.query("#{datastore['VHOST']}", "A")
-    if dns_query.answer.length == 0
-      print_error("Could not resolve #{datastore['VHOST']}")
-      return
-    else
-      # Make a copy of the original rhost
-      @old_rhost = datastore['RHOST']
-      @old_rport = datastore['RPORT']
-      datastore['RHOST'] = dns_query.answer[0].to_s.split(/[\s,]+/)[4]
-      datastore['RPORT'] = 80
-    end
-
     page = 1
 
     # results gets our results from shodan_query

modules/auxiliary/scanner/portscan/ftpbounce.rb

@@ -17,9 +17,7 @@ def initialize
       'Name'        => 'FTP Bounce Port Scanner',
       'Description' => %q{
         Enumerate TCP services via the FTP bounce PORT/LIST
-        method, which can still come in handy every once in
-        a while (I know of a server that still allows this
-        just fine...).
+        method.
       },
       'Author'      => 'kris katterjohn',
       'License'     => MSF_LICENSE
@@ -39,16 +37,21 @@ def support_ipv6?
     false
   end
 
+  def rhost
+    datastore['BOUNCEHOST']
+  end
+
+  def rport
+    datastore['BOUNCEPORT']
+  end
+
   def run_host(ip)
     ports = Rex::Socket.portspec_crack(datastore['PORTS'])
 
     if ports.empty?
       raise Msf::OptionValidateError.new(['PORTS'])
     end
 
-    datastore['RHOST'] = datastore['BOUNCEHOST']
-    datastore['RPORT'] = datastore['BOUNCEPORT']
-
     return if not connect_login
 
     ports.each do |port|

modules/exploits/multi/browser/java_atomicreferencearray.rb

@@ -123,7 +123,7 @@ def on_request_uri( cli, request )
           vprint_status("Sending java reverse shell")
         else
           port = datastore['LPORT']
-          datastore['RHOST'] = cli.peerhost
+          host = cli.peerhost
           vprint_status( "Java bind shell" )
         end
         if jar

modules/exploits/multi/browser/java_calendar_deserialize.rb

@@ -119,7 +119,7 @@ def on_request_uri( cli, request )
           print_status("Payload will be a Java reverse shell")
         else
           port = datastore['LPORT']
-          datastore['RHOST'] = cli.peerhost
+          host = cli.peerhost
           print_status("Payload will be a Java bind shell")
         end
         if jar

modules/exploits/multi/browser/java_verifier_field_access.rb

@@ -122,7 +122,7 @@ def on_request_uri( cli, request )
           vprint_status("Sending java reverse shell")
         else
           port = datastore['LPORT']
-          datastore['RHOST'] = cli.peerhost
+          host = cli.peerhost
           vprint_status( "Java bind shell" )
         end
         if jar