From 1e3727ba8790d509214ff0e715a317b879d0d78e Mon Sep 17 00:00:00 2001 From: adfoster-r7 Date: Wed, 22 Apr 2026 11:58:09 +0100 Subject: [PATCH] Add human-readable descriptions to CheckCode returns in remaining multi exploit modules --- .../multi/elasticsearch/script_mvel_rce.rb | 4 +- .../elasticsearch/search_groovy_script.rb | 4 +- .../multi/ftp/pureftpd_bash_env_exec.rb | 6 +-- .../multi/ftp/wuftpd_site_exec_format.rb | 10 ++-- .../multi/local/xorg_x11_suid_server.rb | 14 +++-- .../local/xorg_x11_suid_server_modulepath.rb | 10 ++-- .../apache_activemq_rce_cve_2023_46604.rb | 12 ++--- .../exploits/multi/misc/arkeia_agent_exec.rb | 54 +++++++++---------- .../bmc_server_automation_rscd_nsh_rce.rb | 6 +-- modules/exploits/multi/misc/calibre_exec.rb | 21 ++++---- .../claymore_dual_miner_remote_manager_rce.rb | 8 +-- .../exploits/multi/misc/consul_rexec_exec.rb | 8 +-- .../multi/misc/consul_service_exec.rb | 10 ++-- .../misc/freeswitch_event_socket_cmd_exec.rb | 6 +-- .../misc/hp_data_protector_exec_integutil.rb | 10 ++-- .../multi/misc/indesign_server_soap.rb | 4 +- .../exploits/multi/misc/java_jdwp_debugger.rb | 6 +-- .../exploits/multi/misc/java_jmx_server.rb | 11 ++-- .../jboss_remoting_unified_invoker_rce.rb | 6 +-- .../exploits/multi/misc/legend_bot_exec.rb | 12 ++--- .../exploits/multi/misc/msfd_rce_remote.rb | 8 ++- .../exploits/multi/misc/nodejs_v8_debugger.rb | 6 ++- modules/exploits/multi/misc/nomad_exec.rb | 16 +++--- .../multi/misc/openview_omniback_exec.rb | 12 ++--- .../exploits/multi/misc/osgi_console_exec.rb | 4 +- modules/exploits/multi/misc/pbot_exec.rb | 8 +-- .../misc/persistent_hpca_radexec_exec.rb | 4 +- .../exploits/multi/misc/ra1nx_pubcall_exec.rb | 6 +-- .../multi/misc/teamcity_agent_xmlrpc_exec.rb | 4 +- .../multi/misc/veritas_netbackup_cmdexec.rb | 4 +- modules/exploits/multi/misc/w3tw0rk_exec.rb | 12 ++--- .../multi/misc/weblogic_deserialize.rb | 12 ++--- ...blogic_deserialize_asyncresponseservice.rb | 8 +-- .../weblogic_deserialize_badattr_extcomp.rb | 4 +- .../misc/weblogic_deserialize_badattrval.rb | 4 +- .../weblogic_deserialize_marshalledobject.rb | 14 ++--- .../misc/weblogic_deserialize_rawobject.rb | 16 +++--- .../misc/weblogic_deserialize_unicastref.rb | 14 ++--- modules/exploits/multi/misc/xdh_x_exec.rb | 12 ++--- .../multi/persistence/periodic_script.rb | 4 +- .../multi/php/ignition_laravel_debug_rce.rb | 4 +- .../exploits/multi/php/jorani_path_trav.rb | 8 +-- .../multi/php/php_unserialize_zval_cookie.rb | 8 +-- .../multi/php/wp_duplicator_code_inject.rb | 15 ++++-- .../postgres_copy_from_program_cmd_exec.rb | 2 +- .../multi/postgres/postgres_createlang.rb | 2 +- modules/exploits/multi/realserver/describe.rb | 4 +- .../multi/sap/cve_2020_6207_solman_rs.rb | 4 +- .../multi/sap/sap_mgmt_con_osexec_payload.rb | 10 ++-- .../sap/sap_soap_rfc_sxpg_call_system_exec.rb | 4 +- .../sap/sap_soap_rfc_sxpg_command_exec.rb | 4 +- .../multi/scada/inductive_ignition_rce.rb | 4 +- 52 files changed, 237 insertions(+), 226 deletions(-) diff --git a/modules/exploits/multi/elasticsearch/script_mvel_rce.rb b/modules/exploits/multi/elasticsearch/script_mvel_rce.rb index aa6be08d2b01f..768c417f0af0e 100644 --- a/modules/exploits/multi/elasticsearch/script_mvel_rce.rb +++ b/modules/exploits/multi/elasticsearch/script_mvel_rce.rb @@ -60,10 +60,10 @@ def initialize(info = {}) end def check - result = Exploit::CheckCode::Safe + result = Exploit::CheckCode::Safe('Elasticsearch does not appear to be vulnerable') if vulnerable? - result = Exploit::CheckCode::Vulnerable + result = Exploit::CheckCode::Vulnerable('Arbitrary Java execution confirmed via MVEL scripting') end result diff --git a/modules/exploits/multi/elasticsearch/search_groovy_script.rb b/modules/exploits/multi/elasticsearch/search_groovy_script.rb index cc4636161b2f0..4cd97f54491e4 100644 --- a/modules/exploits/multi/elasticsearch/search_groovy_script.rb +++ b/modules/exploits/multi/elasticsearch/search_groovy_script.rb @@ -58,10 +58,10 @@ module has been tested successfully on ElasticSearch 1.4.2 on Ubuntu Server 12.0 end def check - result = Exploit::CheckCode::Safe + result = Exploit::CheckCode::Safe('Elasticsearch does not appear to be vulnerable') if vulnerable? - result = Exploit::CheckCode::Vulnerable + result = Exploit::CheckCode::Vulnerable('Arbitrary Java execution confirmed via Groovy scripting') end result diff --git a/modules/exploits/multi/ftp/pureftpd_bash_env_exec.rb b/modules/exploits/multi/ftp/pureftpd_bash_env_exec.rb index 317cde521f1fb..a1d1f0b22916b 100644 --- a/modules/exploits/multi/ftp/pureftpd_bash_env_exec.rb +++ b/modules/exploits/multi/ftp/pureftpd_bash_env_exec.rb @@ -85,17 +85,17 @@ def check command = "echo auth_ok:1; echo uid:#{random_id}; echo gid:#{random_id}; echo dir:/tmp; echo end" if send_command(username, command) =~ /^2\d\d ok./i disconnect - return CheckCode::Safe if banner !~ /pure-ftpd/i + return CheckCode::Safe('Target does not appear to be running Pure-FTPd') if banner !~ /pure-ftpd/i command = "echo auth_ok:0; echo end" if send_command(username, command) =~ /^5\d\d login authentication failed/i disconnect - return CheckCode::Vulnerable + return CheckCode::Vulnerable('Pure-FTPd bash environment variable injection confirmed') end end disconnect - CheckCode::Safe + CheckCode::Safe('Pure-FTPd not vulnerable to bash environment variable injection') end def execute_command(cmd, _opts) diff --git a/modules/exploits/multi/ftp/wuftpd_site_exec_format.rb b/modules/exploits/multi/ftp/wuftpd_site_exec_format.rb index 00eff973d5875..8933b5bc561e6 100644 --- a/modules/exploits/multi/ftp/wuftpd_site_exec_format.rb +++ b/modules/exploits/multi/ftp/wuftpd_site_exec_format.rb @@ -120,21 +120,21 @@ def check # We just want the banner to check against our targets.. vprint_status("FTP Banner: #{banner.strip}") - status = Exploit::CheckCode::Safe + status = Exploit::CheckCode::Safe('WU-FTPD not detected or version is not vulnerable') if banner =~ /Version wu-2\.(4|5)/ - status = Exploit::CheckCode::Appears + status = Exploit::CheckCode::Appears('WU-FTPD 2.x version detected') elsif banner =~ /Version wu-2\.6\.0/ - status = Exploit::CheckCode::Appears + status = Exploit::CheckCode::Appears('WU-FTPD 2.6.0 detected') end # If we've made it this far, we care if login succeeded. if (ret) # NOTE: vulnerable and exploitable might not mean the same thing here :) if not fmtstr_detect_vulnerable - status = Exploit::CheckCode::Safe + status = Exploit::CheckCode::Safe('Format string vulnerability not detected') end if not fmtstr_detect_exploitable - status = Exploit::CheckCode::Safe + status = Exploit::CheckCode::Safe('Format string vulnerability not exploitable') end end diff --git a/modules/exploits/multi/local/xorg_x11_suid_server.rb b/modules/exploits/multi/local/xorg_x11_suid_server.rb index b8e6812142329..f66a50d9a05c8 100644 --- a/modules/exploits/multi/local/xorg_x11_suid_server.rb +++ b/modules/exploits/multi/local/xorg_x11_suid_server.rb @@ -118,14 +118,12 @@ def check user = cmd_exec('id -un') unless exist?("/var/run/console/#{user}") vprint_error("No console lock for #{user}") - return CheckCode::Safe + return CheckCode::Safe("No console lock for #{user}") end vprint_good("Console lock for #{user}") end return CheckCode::Safe('SELinux is enforcing') if selinux_installed? && selinux_enforcing? - - vprint_good('SELinux is not an issue') end # suid program check @@ -148,16 +146,16 @@ def check v = Rex::Version.new(x_version.scan(/\d\.\d+\.\d+/).first) unless v.between?(Rex::Version.new('1.19.0'), Rex::Version.new('1.20.2')) vprint_error "Xorg version #{v} not supported" - return CheckCode::Safe + return CheckCode::Safe("Xorg version #{v} is not in the vulnerable range") end elsif x_version.include?('Fatal server error') vprint_error 'User probably does not have console auth' vprint_error 'Below is Xorg -version output' vprint_error x_version - return CheckCode::Safe + return CheckCode::Safe('User does not have console auth') else vprint_warning('Could not parse Xorg -version output') - return CheckCode::Appears + return CheckCode::Appears('Could not parse Xorg version, but Xorg is SUID') end vprint_good("Xorg version #{v} is vulnerable") @@ -165,10 +163,10 @@ def check proc_list = cmd_exec 'ps ax' if proc_list.include?('/X ') vprint_warning('Xorg in process list') - return CheckCode::Appears + return CheckCode::Appears("Xorg version #{v} is vulnerable but Xorg is already running") end vprint_good('Xorg does not appear running') - return CheckCode::Vulnerable + return CheckCode::Vulnerable("Xorg version #{v} is vulnerable and not currently running") end def on_new_session(session) diff --git a/modules/exploits/multi/local/xorg_x11_suid_server_modulepath.rb b/modules/exploits/multi/local/xorg_x11_suid_server_modulepath.rb index 1bc4a2bba728a..82decb1ae664e 100644 --- a/modules/exploits/multi/local/xorg_x11_suid_server_modulepath.rb +++ b/modules/exploits/multi/local/xorg_x11_suid_server_modulepath.rb @@ -102,7 +102,7 @@ def check user = cmd_exec('id -un') unless exist?("/var/run/console/#{user}") vprint_error("No console lock for #{user}") - return CheckCode::Safe + return CheckCode::Safe("No console lock for #{user}") end vprint_good("Console lock for #{user}") end @@ -132,10 +132,10 @@ def check vprint_error 'User probably does not have console auth' vprint_error 'Below is Xorg -version output' vprint_error x_version - return CheckCode::Safe + return CheckCode::Safe('User does not have console auth') else vprint_warning('Could not parse Xorg -version output') - return CheckCode::Appears + return CheckCode::Appears('Could not parse Xorg version, but Xorg is SUID') end vprint_good("Xorg version #{v} is vulnerable") @@ -143,10 +143,10 @@ def check proc_list = cmd_exec 'ps ax' if proc_list.include?('/X ') vprint_warning('Xorg in process list') - return CheckCode::Appears + return CheckCode::Appears("Xorg version #{v} is vulnerable but Xorg is already running") end vprint_good('Xorg does not appear to be running') - return CheckCode::Vulnerable + return CheckCode::Vulnerable("Xorg version #{v} is vulnerable and not currently running") end def check_arch_and_compile(path, data) diff --git a/modules/exploits/multi/misc/apache_activemq_rce_cve_2023_46604.rb b/modules/exploits/multi/misc/apache_activemq_rce_cve_2023_46604.rb index 3c09e9885f5a2..cb37b0ba5b154 100644 --- a/modules/exploits/multi/misc/apache_activemq_rce_cve_2023_46604.rb +++ b/modules/exploits/multi/misc/apache_activemq_rce_cve_2023_46604.rb @@ -81,21 +81,21 @@ def check len = sock.timed_read(4)&.unpack1('N') - return CheckCode::Unknown if len.nil? || len > 0x2000 # upper limit in case the service isn't ActiveMQ + return CheckCode::Unknown('Invalid or unexpected response length') if len.nil? || len > 0x2000 # upper limit in case the service isn't ActiveMQ res = sock.timed_read(len) disconnect - return CheckCode::Unknown unless res + return CheckCode::Unknown('No response received from target') unless res _, magic = res.unpack('CZ*') - return CheckCode::Unknown unless res.length == len + return CheckCode::Unknown('Response length mismatch') unless res.length == len - return CheckCode::Unknown unless magic == 'ActiveMQ' + return CheckCode::Unknown('Target is not an ActiveMQ service') unless magic == 'ActiveMQ' - return CheckCode::Detected unless res =~ /ProviderVersion...(\d+\.\d+\.\d+)/ + return CheckCode::Detected('ActiveMQ detected but version could not be determined') unless res =~ /ProviderVersion...(\d+\.\d+\.\d+)/ version = Rex::Version.new(::Regexp.last_match(1)) @@ -114,7 +114,7 @@ def check Exploit::CheckCode::Safe("Apache ActiveMQ #{version}") rescue ::Timeout::Error - CheckCode::Unknown + CheckCode::Unknown('Could not determine vulnerability status') end def exploit diff --git a/modules/exploits/multi/misc/arkeia_agent_exec.rb b/modules/exploits/multi/misc/arkeia_agent_exec.rb index 2afaddbaaf078..5b54ce2c6d4aa 100644 --- a/modules/exploits/multi/misc/arkeia_agent_exec.rb +++ b/modules/exploits/multi/misc/arkeia_agent_exec.rb @@ -106,14 +106,14 @@ def check header = sock.get_once(6) unless header && header.length == 6 && header[0, 4] == "\x00\x60\x00\x04" disconnect - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Unexpected response from Arkeia agent') end data_length = sock.get_once(2) unless data_length && data_length.length == 2 disconnect - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end data_length = data_length.unpack('n')[0] @@ -121,7 +121,7 @@ def check data = sock.get_once(data_length) unless data && data.length == data_length disconnect - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end req = "\x00\x73" @@ -133,14 +133,14 @@ def check header = sock.get_once(6) unless header && header.length == 6 && header[0, 4] == "\x00\x60\x00\x04" disconnect - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end data_length = sock.get_once(2) unless data_length && data_length.length == 2 disconnect - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end data_length = data_length.unpack('n')[0] @@ -148,7 +148,7 @@ def check data = sock.get_once(data_length) unless data && data.length == data_length disconnect - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end req = "\x00\x61\x00\x04\x00\x01\x00\x11\x00\x00\x31\x00" @@ -160,21 +160,21 @@ def check unless header && header.length == 6 && header[0, 4] == "\x00\x43\x00\x00" disconnect - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end data_length = sock.get_once(2) unless data_length && data_length.length == 2 disconnect - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end data_length = data_length.unpack('n')[0] unless data_length == 0 disconnect - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end # ARKADMIN_GET_CLIENT_INFO @@ -190,20 +190,20 @@ def check header = sock.get_once(6) unless header && header.length == 6 && header[0, 4] == "\x00\x43\x00\x00" disconnect - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end data_length = sock.get_once(2) unless data_length && data_length.length == 2 disconnect - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end data_length = data_length.unpack('n')[0] unless data_length == 0 disconnect - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end req = "\x00\x63\x00\x04\x00\x00\x00\x12\x30\x00\x31\x00\x32\x38" @@ -216,14 +216,14 @@ def check header = sock.get_once(6) unless header && header.length == 6 && header[0, 4] == "\x00\x63\x00\x04" disconnect - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end data_length = sock.get_once(2) unless data_length && data_length.length == 2 disconnect - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end data_length = data_length.unpack('n')[0] @@ -231,7 +231,7 @@ def check data = sock.get_once(data_length) unless data && data.length == data_length disconnect - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end # 2nd packet @@ -239,14 +239,14 @@ def check header = sock.get_once(6) unless header && header.length == 6 && header[0, 4] == "\x00\x68\x00\x04" disconnect - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end data_length = sock.get_once(2) unless data_length && data_length.length == 2 disconnect - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end data_length = data_length.unpack('n')[0] @@ -254,7 +254,7 @@ def check data = sock.get_once(data_length) unless data && data.length == data_length disconnect - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end # 3rd packet @@ -262,14 +262,14 @@ def check header = sock.get_once(6) unless header && header.length == 6 && header[0, 4] == "\x00\x65\x00\x04" disconnect - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end data_length = sock.get_once(2) unless data_length && data_length.length == 2 disconnect - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end data_length = data_length.unpack('n')[0] @@ -277,7 +277,7 @@ def check data = sock.get_once(data_length) unless data && data.length == data_length && data.include?('You have successfully retrieved client information') disconnect - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end # 4th packet @@ -285,14 +285,14 @@ def check header = sock.get_once(6) unless header && header.length == 6 && header[0, 4] == "\x00\x69\x00\x04" disconnect - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end data_length = sock.get_once(2) unless data_length && data_length.length == 2 disconnect - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end data_length = data_length.unpack('n')[0] @@ -300,20 +300,20 @@ def check data = sock.get_once(data_length) unless data && data.length == data_length disconnect - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end if data =~ /VERSION.*WD Arkeia ([0-9]+\.[0-9]+\.[0-9]+)/ version = $1 vprint_status("#{rhost}:#{rport} - Arkeia version detected: #{version}") if Rex::Version.new(version) <= Rex::Version.new('11.0.12') - return Exploit::CheckCode::Appears + return Exploit::CheckCode::Appears("Arkeia version #{version} is vulnerable") else - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Safe("Arkeia version #{version} is not vulnerable") end else vprint_status("#{rhost}:#{rport} - Arkeia version not detected") - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Could not determine the version') end end diff --git a/modules/exploits/multi/misc/bmc_server_automation_rscd_nsh_rce.rb b/modules/exploits/multi/misc/bmc_server_automation_rscd_nsh_rce.rb index 1151710e4c2cf..ca51d1ec70bd3 100644 --- a/modules/exploits/multi/misc/bmc_server_automation_rscd_nsh_rce.rb +++ b/modules/exploits/multi/misc/bmc_server_automation_rscd_nsh_rce.rb @@ -88,7 +88,7 @@ def check # Check for successful platform detection if res[0] == 1 vprint_good('BMC RSCD agent detected, platform appears to be ' + res[1]) - return CheckCode::Detected + return CheckCode::Detected('BMC RSCD agent detected') end # Get first four bytes of the packet which should hold the content length @@ -99,13 +99,13 @@ def check vprint_warning('Target appears to be BMC, however an unexpected ' \ 'agentinfo response was returned.') vprint_warning('Response: ' + res[1]) - return CheckCode::Unknown + return CheckCode::Unknown('Could not determine the target state') end # Invalid response, probably not a BMC RSCD target vprint_error('The target does not appear to be a BMC RSCD agent.') vprint_error('Response: ' + res[1]) if res[1] - CheckCode::Safe + CheckCode::Safe('The target is not vulnerable') end def exploit diff --git a/modules/exploits/multi/misc/calibre_exec.rb b/modules/exploits/multi/misc/calibre_exec.rb index a2ff37ab472ae..1836eecd59efe 100644 --- a/modules/exploits/multi/misc/calibre_exec.rb +++ b/modules/exploits/multi/misc/calibre_exec.rb @@ -76,28 +76,29 @@ def check 'uri' => normalize_uri(target_uri.path) }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError - return CheckCode::Unknown + return CheckCode::Unknown('Connection failed') end if res && res.code == 200 data = res.body.to_s pattern = /CALIBRE_VERSION\s*=\s*"([^"]+)"/ - version = data.match(pattern) + match = data.match(pattern) - if version[1].nil? - return CheckCode::Unknown - else - vprint_status('Version retrieved: ' + version[1].to_s) + unless match + return CheckCode::Unknown('Could not determine the Calibre version') end - if Rex::Version.new(version[1]).between?(Rex::Version.new('6.9.0'), Rex::Version.new('7.15.0')) - return CheckCode::Appears + version = match[1] + vprint_status("Version retrieved: #{version}") + + if Rex::Version.new(version).between?(Rex::Version.new('6.9.0'), Rex::Version.new('7.15.0')) + return CheckCode::Appears("Calibre version #{version} is vulnerable") else - return CheckCode::Safe + return CheckCode::Safe("Calibre version #{version} is not vulnerable") end else - return CheckCode::Unknown + return CheckCode::Unknown(res ? "Unexpected HTTP status code: #{res.code}" : 'No response received from target') end end diff --git a/modules/exploits/multi/misc/claymore_dual_miner_remote_manager_rce.rb b/modules/exploits/multi/misc/claymore_dual_miner_remote_manager_rce.rb index d2f4eafb8ea17..5bbfa4a770a5a 100644 --- a/modules/exploits/multi/misc/claymore_dual_miner_remote_manager_rce.rb +++ b/modules/exploits/multi/misc/claymore_dual_miner_remote_manager_rce.rb @@ -93,7 +93,7 @@ def select_target def check target = select_target if target.nil? - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Safe('Unable to detect Claymore Dual Miner') end data = { @@ -117,13 +117,13 @@ def check end str = Rex::Text.hex_to_raw(hex) if str.include?('WARNING') - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Vulnerable('Response contains WARNING marker indicating command execution') else - return Exploit::CheckCode::Detected + return Exploit::CheckCode::Detected('The target service was detected') end rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e vprint_error(e.message) - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') ensure disconnect end diff --git a/modules/exploits/multi/misc/consul_rexec_exec.rb b/modules/exploits/multi/misc/consul_rexec_exec.rb index c77d5c300af11..a2369935e91f3 100644 --- a/modules/exploits/multi/misc/consul_rexec_exec.rb +++ b/modules/exploits/multi/misc/consul_rexec_exec.rb @@ -64,18 +64,18 @@ def check }) unless res vprint_error 'Connection failed' - return CheckCode::Unknown + return CheckCode::Unknown('Connection failed') end begin agent_info = JSON.parse(res.body) if agent_info["Config"]["DisableRemoteExec"] == false || agent_info["DebugConfig"]["DisableRemoteExec"] == false - return CheckCode::Vulnerable + return CheckCode::Vulnerable('DisableRemoteExec is false') else - return CheckCode::Safe + return CheckCode::Safe('The target is not vulnerable') end rescue JSON::ParserError vprint_error 'Failed to parse JSON output.' - return CheckCode::Unknown + return CheckCode::Unknown('Failed to parse response') end end diff --git a/modules/exploits/multi/misc/consul_service_exec.rb b/modules/exploits/multi/misc/consul_service_exec.rb index 8d253f1301fed..78a5862aa0d84 100644 --- a/modules/exploits/multi/misc/consul_service_exec.rb +++ b/modules/exploits/multi/misc/consul_service_exec.rb @@ -79,24 +79,24 @@ def check unless res vprint_error 'Connection failed' - return CheckCode::Unknown + return CheckCode::Unknown('Connection failed') end unless res.code == 200 vprint_error 'Unexpected reply' - return CheckCode::Safe + return CheckCode::Unknown('Unexpected HTTP reply') end agent_info = JSON.parse(res.body) if agent_info['Config']['EnableScriptChecks'] == true || agent_info['DebugConfig']['EnableScriptChecks'] == true || agent_info['DebugConfig']['EnableRemoteScriptChecks'] == true - return CheckCode::Vulnerable + return CheckCode::Vulnerable('EnableScriptChecks or EnableRemoteScriptChecks is true') end - CheckCode::Safe + CheckCode::Safe('The target is not vulnerable') rescue JSON::ParserError vprint_error 'Failed to parse JSON output.' - return CheckCode::Unknown + return CheckCode::Unknown('Failed to parse response') end def execute_command(cmd, _opts = {}) diff --git a/modules/exploits/multi/misc/freeswitch_event_socket_cmd_exec.rb b/modules/exploits/multi/misc/freeswitch_event_socket_cmd_exec.rb index 2b7728f07d5f8..6c6af089c6fb3 100644 --- a/modules/exploits/multi/misc/freeswitch_event_socket_cmd_exec.rb +++ b/modules/exploits/multi/misc/freeswitch_event_socket_cmd_exec.rb @@ -108,14 +108,14 @@ def check if banner.include?('Access Denied, go away.') || banner.include?('text/rude-rejection') vprint_error 'Access denied by network ACL' - return CheckCode::Safe + return CheckCode::Safe('Access denied by network ACL') end unless banner.include?('Content-Type: auth/request') - return CheckCode::Safe + return CheckCode::Safe('The target is not vulnerable') end - CheckCode::Appears + CheckCode::Appears('FreeSWITCH Event Socket responded to auth request') end def auth(password) diff --git a/modules/exploits/multi/misc/hp_data_protector_exec_integutil.rb b/modules/exploits/multi/misc/hp_data_protector_exec_integutil.rb index 079c23d57cdf0..0ca681b9964e6 100644 --- a/modules/exploits/multi/misc/hp_data_protector_exec_integutil.rb +++ b/modules/exploits/multi/misc/hp_data_protector_exec_integutil.rb @@ -88,7 +88,7 @@ def check fingerprint = get_fingerprint if fingerprint.nil? - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Unable to fingerprint target') end if fingerprint =~ /Data Protector A\.(\d+\.\d+)/ @@ -96,16 +96,16 @@ def check vprint_status("Windows / HP Data Protector version #{version} found") elsif fingerprint =~ / INET/ vprint_status("Linux / HP Data Protector found") - return Exploit::CheckCode::Detected + return Exploit::CheckCode::Detected('The target service was detected') else - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Safe('The target does not appear to be HP Data Protector') end if Rex::Version.new(version) <= Rex::Version.new('9') - return Exploit::CheckCode::Appears + return Exploit::CheckCode::Appears("HP Data Protector version #{version} is vulnerable") end - Exploit::CheckCode::Detected # there is no patch at the time of module writing + Exploit::CheckCode::Detected('There is no patch at the time of module writing') end def exploit diff --git a/modules/exploits/multi/misc/indesign_server_soap.rb b/modules/exploits/multi/misc/indesign_server_soap.rb index 6fb247d3243a9..f9408c1c847a1 100644 --- a/modules/exploits/multi/misc/indesign_server_soap.rb +++ b/modules/exploits/multi/misc/indesign_server_soap.rb @@ -92,9 +92,9 @@ def check res = send_soap_request(checkscript, 'javascript') - return Exploit::CheckCode::Vulnerable if res.body.include?('' + check_var + '') + return Exploit::CheckCode::Vulnerable('InDesign Server executed the test script successfully') if res.body.include?('' + check_var + '') - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Safe('InDesign Server SOAP endpoint did not return expected response') end def exploit diff --git a/modules/exploits/multi/misc/java_jdwp_debugger.rb b/modules/exploits/multi/misc/java_jdwp_debugger.rb index 78887a89da7a1..ef09f4fbe5921 100644 --- a/modules/exploits/multi/misc/java_jdwp_debugger.rb +++ b/modules/exploits/multi/misc/java_jdwp_debugger.rb @@ -127,12 +127,12 @@ def check disconnect if res.nil? - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('JDWP handshake returned nil') elsif res == HANDSHAKE - return Exploit::CheckCode::Appears + return Exploit::CheckCode::Appears('JDWP handshake successful') end - Exploit::CheckCode::Safe + Exploit::CheckCode::Safe('The target is not vulnerable') end def default_timeout diff --git a/modules/exploits/multi/misc/java_jmx_server.rb b/modules/exploits/multi/misc/java_jmx_server.rb index 69245a47972ae..4772820215a77 100644 --- a/modules/exploits/multi/misc/java_jmx_server.rb +++ b/modules/exploits/multi/misc/java_jmx_server.rb @@ -114,27 +114,28 @@ def check connect unless is_rmi? - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Safe('Target is not an RMI endpoint') end mbean_server = discover_endpoint disconnect if mbean_server.nil? - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Safe('The target is not vulnerable') end connect(true, { 'RHOST' => mbean_server[:address], 'RPORT' => mbean_server[:port] }) unless is_rmi? - return Exploit::CheckCode::Unknown + disconnect + return Exploit::CheckCode::Unknown('RMI endpoint not found on discovered MBean server') end jmx_endpoint = handshake(mbean_server) disconnect if jmx_endpoint.nil? - return Exploit::CheckCode::Detected + return Exploit::CheckCode::Detected('The target service was detected') end - Exploit::CheckCode::Appears + Exploit::CheckCode::Appears('JMX endpoint discovered on target') end def exploit diff --git a/modules/exploits/multi/misc/jboss_remoting_unified_invoker_rce.rb b/modules/exploits/multi/misc/jboss_remoting_unified_invoker_rce.rb index fa23421e8311d..d7c614515f9e3 100644 --- a/modules/exploits/multi/misc/jboss_remoting_unified_invoker_rce.rb +++ b/modules/exploits/multi/misc/jboss_remoting_unified_invoker_rce.rb @@ -82,12 +82,12 @@ def check sock.put(handshake_data) data = sock.get_once(16) disconnect - return Exploit::CheckCode::Appears if data == handshake_data + return Exploit::CheckCode::Appears('Target responded with Java serialization handshake') if data == handshake_data - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Safe('Target did not respond with expected Java serialization handshake') rescue Rex::ConnectionError, Errno::ECONNRESET, ::EOFError => e print_error("Error to connect #{rhost}:#{rport} : '#{e.class}' '#{e}'") - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection error') end # def exploit diff --git a/modules/exploits/multi/misc/legend_bot_exec.rb b/modules/exploits/multi/misc/legend_bot_exec.rb index d693d6d57bc6a..df4bca9dd8661 100644 --- a/modules/exploits/multi/misc/legend_bot_exec.rb +++ b/modules/exploits/multi/misc/legend_bot_exec.rb @@ -78,22 +78,22 @@ def check res = register(sock) if res =~ /463/ || res =~ /464/ vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection to the IRC server not allowed') end res = join(sock) - if !res =~ /353/ && !res =~ /366/ + if res !~ /353/ && res !~ /366/ vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel") - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end quit(sock) disconnect if res =~ /auth/ && res =~ /logged in/ - Exploit::CheckCode::Vulnerable + Exploit::CheckCode::Vulnerable('Bot responded with auth and logged in confirmation') else - Exploit::CheckCode::Safe + Exploit::CheckCode::Safe('The target is not vulnerable') end end @@ -161,7 +161,7 @@ def exploit print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...") res = join(sock) - if !res =~ /353/ && !res =~ /366/ + if res !~ /353/ && res !~ /366/ print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel") return end diff --git a/modules/exploits/multi/misc/msfd_rce_remote.rb b/modules/exploits/multi/misc/msfd_rce_remote.rb index 0dfd596f6b3a1..6ad252a7edb75 100644 --- a/modules/exploits/multi/misc/msfd_rce_remote.rb +++ b/modules/exploits/multi/misc/msfd_rce_remote.rb @@ -57,12 +57,16 @@ def initialize(info = {}) def check connect data = sock.get_once + if data.nil? + disconnect + return Exploit::CheckCode::Unknown('No response received from target') + end if data.include?("msf") disconnect - return Exploit::CheckCode::Appears + return Exploit::CheckCode::Appears('Target appears to be running msfd') end disconnect - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('msfd service not detected') end def exploit diff --git a/modules/exploits/multi/misc/nodejs_v8_debugger.rb b/modules/exploits/multi/misc/nodejs_v8_debugger.rb index ebfa77db2818e..b878751c2c7f6 100644 --- a/modules/exploits/multi/misc/nodejs_v8_debugger.rb +++ b/modules/exploits/multi/misc/nodejs_v8_debugger.rb @@ -69,12 +69,14 @@ def check res = sock.get_once disconnect + return Exploit::CheckCode::Unknown('V8 debugger protocol not detected') unless res + if res.include? "V8-Version" and res.include? "Protocol-Version: 1" vprint_status("Got debugger handshake:\n#{res}") - return Exploit::CheckCode::Appears + return Exploit::CheckCode::Appears('Node.js V8 debugger protocol detected') end - Exploit::CheckCode::Unknown + Exploit::CheckCode::Unknown('V8 debugger protocol not detected') end def exploit diff --git a/modules/exploits/multi/misc/nomad_exec.rb b/modules/exploits/multi/misc/nomad_exec.rb index fb763ff1cbea3..6d4182e68cb8f 100644 --- a/modules/exploits/multi/misc/nomad_exec.rb +++ b/modules/exploits/multi/misc/nomad_exec.rb @@ -81,12 +81,12 @@ def check unless res vprint_error 'Connection failed' - return CheckCode::Unknown + return CheckCode::Unknown('Connection failed') end unless res.code == 200 vprint_error 'Unexpected reply' - return CheckCode::Safe + return CheckCode::Unknown('Unexpected HTTP reply') end agent_info = JSON.parse(res.body) @@ -94,26 +94,26 @@ def check if agent_info['config']['Plugins'] agent_info['config']['Plugins'].each do |plugin| if plugin['Name'] == 'raw_exec' && plugin['Config']['enabled'] == true - return CheckCode::Vulnerable + return CheckCode::Vulnerable('raw_exec plugin is enabled') end end end if agent_info['config']['Client']['Options']['driver.raw_exec.enable'] == 'true' || agent_info['config']['Client']['Options']['driver.raw_exec.enable'] == '1' - return CheckCode::Vulnerable + return CheckCode::Vulnerable('driver.raw_exec.enable is set to true') end if datastore['JOB_TYPE'] == 'raw_exec' && agent_info['config']['Client']['DisableRemoteExec'] == false print_status 'raw_exec doesn\'t appear to be supported. Try setting JOB_TYPE to exec instead.' - return CheckCode::Appears + return CheckCode::Appears('DisableRemoteExec is false but raw_exec may not be supported') elsif datastore['JOB_TYPE'] == 'exec' && agent_info['config']['Client']['DisableRemoteExec'] == false - return CheckCode::Vulnerable + return CheckCode::Vulnerable('DisableRemoteExec is false and exec driver is available') end - CheckCode::Safe + CheckCode::Safe('The target is not vulnerable') rescue JSON::ParserError vprint_error 'Failed to parse JSON output.' - return CheckCode::Unknown + return CheckCode::Unknown('Failed to parse response') end def execute_command(cmd, _opts = {}) diff --git a/modules/exploits/multi/misc/openview_omniback_exec.rb b/modules/exploits/multi/misc/openview_omniback_exec.rb index 6d42941eb758f..f8eb2604f6f1d 100644 --- a/modules/exploits/multi/misc/openview_omniback_exec.rb +++ b/modules/exploits/multi/misc/openview_omniback_exec.rb @@ -88,15 +88,15 @@ def check if !(res and res.length > 0) vprint_status("The remote service did not reply to our request") - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Unknown('Target did not reply to our request') end if (res =~ /passwd|group|resolv/) vprint_status("The remote service is exploitable") - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Vulnerable('Response contains Unix path markers (passwd, group, or resolv)') end - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Safe('The target is not vulnerable') end if (target.name =~ /Windows/) @@ -123,15 +123,15 @@ def check if !(res and res.length > 0) print_status("The remote service did not reply to our request") - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Unknown('No reply received from target') end if (res =~ /V.o.l.u.m.e/) # Unicode print_status("The remote service is exploitable") - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Vulnerable('Received expected V.o.l.u.m.e marker response') end - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Safe('The target is not vulnerable') end end diff --git a/modules/exploits/multi/misc/osgi_console_exec.rb b/modules/exploits/multi/misc/osgi_console_exec.rb index 2a8f50094f61a..f74eb5665e92d 100644 --- a/modules/exploits/multi/misc/osgi_console_exec.rb +++ b/modules/exploits/multi/misc/osgi_console_exec.rb @@ -64,10 +64,10 @@ def check end disconnect if res && res == 'osgi> ' - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Vulnerable('OSGi console prompt detected') end - Exploit::CheckCode::Safe + Exploit::CheckCode::Safe('The target is not vulnerable') end def exploit diff --git a/modules/exploits/multi/misc/pbot_exec.rb b/modules/exploits/multi/misc/pbot_exec.rb index 7fc6f9eb0dc5e..f9ed242ba8fce 100644 --- a/modules/exploits/multi/misc/pbot_exec.rb +++ b/modules/exploits/multi/misc/pbot_exec.rb @@ -79,22 +79,22 @@ def check response = register(sock) if response =~ /463/ or response =~ /464/ vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection to the IRC server not allowed') end response = join(sock) if not response =~ /353/ and not response =~ /366/ vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel") - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end response = pbot_login(sock) quit(sock) disconnect if response =~ /auth/ and response =~ /logged in/ - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Vulnerable('Bot responded with auth and logged in confirmation') else - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Safe('The target is not vulnerable') end end diff --git a/modules/exploits/multi/misc/persistent_hpca_radexec_exec.rb b/modules/exploits/multi/misc/persistent_hpca_radexec_exec.rb index c1ba2f340c89e..4693102115c07 100644 --- a/modules/exploits/multi/misc/persistent_hpca_radexec_exec.rb +++ b/modules/exploits/multi/misc/persistent_hpca_radexec_exec.rb @@ -93,10 +93,10 @@ def check disconnect if res && res.unpack('C')[0] == 0 - return Exploit::CheckCode::Detected + return Exploit::CheckCode::Detected('HPCA Radexec service detected') end - Exploit::CheckCode::Safe + Exploit::CheckCode::Safe('The target is not vulnerable') end def exploit diff --git a/modules/exploits/multi/misc/ra1nx_pubcall_exec.rb b/modules/exploits/multi/misc/ra1nx_pubcall_exec.rb index 969644a36ee7d..c5b8eaf219102 100644 --- a/modules/exploits/multi/misc/ra1nx_pubcall_exec.rb +++ b/modules/exploits/multi/misc/ra1nx_pubcall_exec.rb @@ -94,7 +94,7 @@ def check response = register(sock) if response =~ /463/ or response =~ /464/ vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection to the IRC server not allowed') end confirm_string = rand_text_alpha(8) @@ -104,9 +104,9 @@ def check disconnect if response =~ /#{confirm_string}/ - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Vulnerable('Bot echoed back confirmation string via PRIVMSG') else - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Safe('The target is not vulnerable') end end diff --git a/modules/exploits/multi/misc/teamcity_agent_xmlrpc_exec.rb b/modules/exploits/multi/misc/teamcity_agent_xmlrpc_exec.rb index ce97c1118c066..e0c9dc9dec969 100644 --- a/modules/exploits/multi/misc/teamcity_agent_xmlrpc_exec.rb +++ b/modules/exploits/multi/misc/teamcity_agent_xmlrpc_exec.rb @@ -56,9 +56,9 @@ def initialize(info = {}) def check version = determine_version if !version.nil? && version >= 15772 - Exploit::CheckCode::Appears + Exploit::CheckCode::Appears("TeamCity agent version #{version} appears vulnerable") else - Exploit::CheckCode::Safe + Exploit::CheckCode::Safe("TeamCity agent does not appear vulnerable") end end diff --git a/modules/exploits/multi/misc/veritas_netbackup_cmdexec.rb b/modules/exploits/multi/misc/veritas_netbackup_cmdexec.rb index 41ce1c5a01460..87488fcf8c71d 100644 --- a/modules/exploits/multi/misc/veritas_netbackup_cmdexec.rb +++ b/modules/exploits/multi/misc/veritas_netbackup_cmdexec.rb @@ -66,10 +66,10 @@ def check disconnect if banner.to_s.index(sploit) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Vulnerable('Target executed the echo command successfully') end - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Safe('The target is not vulnerable') end def exploit diff --git a/modules/exploits/multi/misc/w3tw0rk_exec.rb b/modules/exploits/multi/misc/w3tw0rk_exec.rb index f375fbcd97648..6615a1b109c40 100644 --- a/modules/exploits/multi/misc/w3tw0rk_exec.rb +++ b/modules/exploits/multi/misc/w3tw0rk_exec.rb @@ -68,22 +68,22 @@ def check res = register(sock) if res =~ /463/ || res =~ /464/ vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection to the IRC server not allowed') end res = join(sock) - if !res =~ /353/ && !res =~ /366/ + if res !~ /353/ && res !~ /366/ vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel") - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end quit(sock) disconnect if res =~ /auth/ && res =~ /logged in/ - Exploit::CheckCode::Vulnerable + Exploit::CheckCode::Vulnerable('Bot responded with auth and logged in confirmation') else - Exploit::CheckCode::Safe + Exploit::CheckCode::Safe('The target is not vulnerable') end end @@ -151,7 +151,7 @@ def exploit print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...") res = join(sock) - if !res =~ /353/ && !res =~ /366/ + if res !~ /353/ && res !~ /366/ print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel") return end diff --git a/modules/exploits/multi/misc/weblogic_deserialize.rb b/modules/exploits/multi/misc/weblogic_deserialize.rb index 0a5409b789d87..606ecb53200e2 100644 --- a/modules/exploits/multi/misc/weblogic_deserialize.rb +++ b/modules/exploits/multi/misc/weblogic_deserialize.rb @@ -71,7 +71,7 @@ def check res = sock.get_once disconnect - return CheckCode::Unknown unless res + return CheckCode::Unknown('No response received from target') unless res /WebLogic Server Version: (?\d+\.\d+\.\d+\.*\d*)/ =~ res if version @@ -80,19 +80,19 @@ def check case when version.to_s.start_with?('10.3') - return CheckCode::Appears unless version > Rex::Version.new('10.3.6.0') + return CheckCode::Appears("WebLogic version #{version} appears vulnerable") unless version > Rex::Version.new('10.3.6.0') when version.to_s.start_with?('12.1') - return CheckCode::Appears unless version > Rex::Version.new('12.1.3.0') + return CheckCode::Appears("WebLogic version #{version} appears vulnerable") unless version > Rex::Version.new('12.1.3.0') when version.to_s.start_with?('12.2') - return CheckCode::Appears unless version > Rex::Version.new('12.2.1.3') + return CheckCode::Appears("WebLogic version #{version} appears vulnerable") unless version > Rex::Version.new('12.2.1.3') end end if res.include?('Oracle WebLogic Server Administration Console') - return CheckCode::Detected + return CheckCode::Detected('Oracle WebLogic Server Administration Console detected') end - CheckCode::Unknown + CheckCode::Unknown('Target does not appear to be Oracle WebLogic Server') end def gen_resp diff --git a/modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb b/modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb index 7690719e27062..dbdb112bab8ca 100644 --- a/modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb +++ b/modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb @@ -97,17 +97,17 @@ def check if res && res.code == 500 && res.body.include?('env:Client') vprint_status("The target returned a vulnerable HTTP code: /#{res.code}") vprint_status("The target returned a vulnerable HTTP error: /#{res.body.split("\n")[0]}") - Exploit::CheckCode::Vulnerable + Exploit::CheckCode::Vulnerable('Target returned a vulnerable SOAP fault response') elsif res && res.code != 202 vprint_status('The target returned a non-vulnerable HTTP code') - Exploit::CheckCode::Safe + Exploit::CheckCode::Safe('Target returned a non-vulnerable HTTP response') elsif res.nil? vprint_status('The target did not respond in an expected way') - Exploit::CheckCode::Unknown + Exploit::CheckCode::Unknown('Target did not respond in an expected way') else vprint_status("The target returned HTTP code: #{res.code}") vprint_status("The target returned HTTP body: #{res.body.split("\n")[0]} [...]") - Exploit::CheckCode::Unknown + Exploit::CheckCode::Unknown('Unable to determine vulnerability status') end end diff --git a/modules/exploits/multi/misc/weblogic_deserialize_badattr_extcomp.rb b/modules/exploits/multi/misc/weblogic_deserialize_badattr_extcomp.rb index e0c77b80e7853..774309f2b2ee5 100644 --- a/modules/exploits/multi/misc/weblogic_deserialize_badattr_extcomp.rb +++ b/modules/exploits/multi/misc/weblogic_deserialize_badattr_extcomp.rb @@ -99,9 +99,9 @@ def check @version_no = Rex::Version.new(version) print_status("WebLogic version detected: #{@version_no}") - return CheckCode::Appears if versions.include?(@version_no) + return CheckCode::Appears("WebLogic version #{@version_no} appears vulnerable") if versions.include?(@version_no) - CheckCode::Detected('Version of WebLogic is not vulnerable') + CheckCode::Safe('Version of WebLogic is not vulnerable') ensure disconnect end diff --git a/modules/exploits/multi/misc/weblogic_deserialize_badattrval.rb b/modules/exploits/multi/misc/weblogic_deserialize_badattrval.rb index dcd8d78165f71..6ab0f45b84e9c 100644 --- a/modules/exploits/multi/misc/weblogic_deserialize_badattrval.rb +++ b/modules/exploits/multi/misc/weblogic_deserialize_badattrval.rb @@ -93,9 +93,9 @@ def check @version_no = Rex::Version.new(version) print_status("WebLogic version detected: #{@version_no}") - return CheckCode::Appears if versions.include?(@version_no) + return CheckCode::Appears("WebLogic version #{@version_no} appears vulnerable") if versions.include?(@version_no) - CheckCode::Detected('Version of WebLogic is not vulnerable') + CheckCode::Safe('Version of WebLogic is not vulnerable') ensure disconnect end diff --git a/modules/exploits/multi/misc/weblogic_deserialize_marshalledobject.rb b/modules/exploits/multi/misc/weblogic_deserialize_marshalledobject.rb index 97dc76cc7de9e..0debe312da0ee 100644 --- a/modules/exploits/multi/misc/weblogic_deserialize_marshalledobject.rb +++ b/modules/exploits/multi/misc/weblogic_deserialize_marshalledobject.rb @@ -95,31 +95,31 @@ def check 'uri' => '/console/login/LoginForm.jsp' ) - return CheckCode::Unknown unless resp && resp.code == 200 + return CheckCode::Unknown('No valid response from target') unless resp && resp.code == 200 unless resp.body.include?('Oracle WebLogic Server Administration Console') vprint_warning("Oracle WebLogic Server banner cannot be found") - return CheckCode::Unknown + return CheckCode::Unknown('Oracle WebLogic Server banner not found') end /WebLogic Server Version: (?\d+\.\d+\.\d+\.\d*)/ =~ resp.body unless version vprint_warning("Oracle WebLogic Server version cannot be found") - return CheckCode::Unknown + return CheckCode::Unknown('Could not determine WebLogic version from response') end version = Rex::Version.new(version) vprint_good("Detected Oracle WebLogic Server Version: #{version}") case when version.to_s.start_with?('10.3') - return CheckCode::Appears unless version > Rex::Version.new('10.3.6.0') + return CheckCode::Appears("WebLogic version #{version} appears vulnerable") unless version > Rex::Version.new('10.3.6.0') when version.to_s.start_with?('12.1.3') - return CheckCode::Appears unless version > Rex::Version.new('12.1.3.0') + return CheckCode::Appears("WebLogic version #{version} appears vulnerable") unless version > Rex::Version.new('12.1.3.0') when version.to_s.start_with?('12.2') - return CheckCode::Appears unless version > Rex::Version.new('12.2.1.0') + return CheckCode::Appears("WebLogic version #{version} appears vulnerable") unless version > Rex::Version.new('12.2.1.0') end - return CheckCode::Safe + return CheckCode::Safe("WebLogic version #{version} is not vulnerable") end =end diff --git a/modules/exploits/multi/misc/weblogic_deserialize_rawobject.rb b/modules/exploits/multi/misc/weblogic_deserialize_rawobject.rb index a72404bad1561..91429141c7664 100644 --- a/modules/exploits/multi/misc/weblogic_deserialize_rawobject.rb +++ b/modules/exploits/multi/misc/weblogic_deserialize_rawobject.rb @@ -94,33 +94,33 @@ def check 'uri' => '/console/login/LoginForm.jsp' ) - return CheckCode::Unknown unless resp && resp.code == 200 + return CheckCode::Unknown('No valid response from target') unless resp && resp.code == 200 unless resp.body.include?('Oracle WebLogic Server Administration Console') vprint_warning("Oracle WebLogic Server banner cannot be found") - return CheckCode::Unknown + return CheckCode::Unknown('Oracle WebLogic Server banner not found') end /WebLogic Server Version: (?\d+\.\d+\.\d+\.\d*)/ =~ resp.body unless version vprint_warning("Oracle WebLogic Server version cannot be found") - return CheckCode::Unknown + return CheckCode::Unknown('Could not determine WebLogic version from response') end version = Rex::Version.new(version) vprint_good("Detected Oracle WebLogic Server Version: #{version}") case when version.to_s.start_with?('10.3') - return CheckCode::Appears unless version > Rex::Version.new('10.3.6.0') + return CheckCode::Appears("WebLogic version #{version} appears vulnerable") unless version > Rex::Version.new('10.3.6.0') when version.to_s.start_with?('12.1.2') - return CheckCode::Appears unless version > Rex::Version.new('12.1.2.0') + return CheckCode::Appears("WebLogic version #{version} appears vulnerable") unless version > Rex::Version.new('12.1.2.0') when version.to_s.start_with?('12.1.3') - return CheckCode::Appears unless version > Rex::Version.new('12.1.3.0') + return CheckCode::Appears("WebLogic version #{version} appears vulnerable") unless version > Rex::Version.new('12.1.3.0') when version.to_s.start_with?('12.2') - return CheckCode::Appears unless version > Rex::Version.new('12.2.1.0') + return CheckCode::Appears("WebLogic version #{version} appears vulnerable") unless version > Rex::Version.new('12.2.1.0') end - return CheckCode::Safe + return CheckCode::Safe("WebLogic version #{version} is not vulnerable") end =end diff --git a/modules/exploits/multi/misc/weblogic_deserialize_unicastref.rb b/modules/exploits/multi/misc/weblogic_deserialize_unicastref.rb index 07cccae413422..01b59fd551a5f 100644 --- a/modules/exploits/multi/misc/weblogic_deserialize_unicastref.rb +++ b/modules/exploits/multi/misc/weblogic_deserialize_unicastref.rb @@ -94,31 +94,31 @@ def check 'uri' => '/console/login/LoginForm.jsp' ) - return CheckCode::Unknown unless resp && resp.code == 200 + return CheckCode::Unknown('No valid response from target') unless resp && resp.code == 200 unless resp.body.include?('Oracle WebLogic Server Administration Console') vprint_warning("Oracle WebLogic Server banner cannot be found") - return CheckCode::Unknown + return CheckCode::Unknown('Oracle WebLogic Server banner not found') end /WebLogic Server Version: (?\d+\.\d+\.\d+\.\d*)/ =~ resp.body unless version vprint_warning("Oracle WebLogic Server version cannot be found") - return CheckCode::Unknown + return CheckCode::Unknown('Could not determine WebLogic version from response') end version = Rex::Version.new(version) vprint_good("Detected Oracle WebLogic Server Version: #{version}") case when version.to_s.start_with?('10.3') - return CheckCode::Appears unless version > Rex::Version.new('10.3.6.0') + return CheckCode::Appears("WebLogic version #{version} appears vulnerable") unless version > Rex::Version.new('10.3.6.0') when version.to_s.start_with?('12.1.3') - return CheckCode::Appears unless version > Rex::Version.new('12.1.3.0') + return CheckCode::Appears("WebLogic version #{version} appears vulnerable") unless version > Rex::Version.new('12.1.3.0') when version.to_s.start_with?('12.2') - return CheckCode::Appears unless version > Rex::Version.new('12.2.1.1') + return CheckCode::Appears("WebLogic version #{version} appears vulnerable") unless version > Rex::Version.new('12.2.1.1') end - return CheckCode::Safe + return CheckCode::Safe("WebLogic version #{version} is not vulnerable") end =end diff --git a/modules/exploits/multi/misc/xdh_x_exec.rb b/modules/exploits/multi/misc/xdh_x_exec.rb index bc86e277e2a55..a831ba5c1d8a8 100644 --- a/modules/exploits/multi/misc/xdh_x_exec.rb +++ b/modules/exploits/multi/misc/xdh_x_exec.rb @@ -80,22 +80,22 @@ def check res = register(sock) if res =~ /463/ || res =~ /464/ vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection to the IRC server not allowed') end res = join(sock) - if !res =~ /353/ && !res =~ /366/ + if res !~ /353/ && res !~ /366/ vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel") - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Unknown('Connection failed') end quit(sock) disconnect if res =~ /auth/ && res =~ /logged in/ - Exploit::CheckCode::Vulnerable + Exploit::CheckCode::Vulnerable('Bot responded with auth and logged in confirmation') else - Exploit::CheckCode::Safe + Exploit::CheckCode::Safe('The target is not vulnerable') end end @@ -163,7 +163,7 @@ def exploit print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...") res = join(sock) - if !res =~ /353/ && !res =~ /366/ + if res !~ /353/ && res !~ /366/ print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel") return end diff --git a/modules/exploits/multi/persistence/periodic_script.rb b/modules/exploits/multi/persistence/periodic_script.rb index c0b6e472adc75..8dfcefe59716c 100644 --- a/modules/exploits/multi/persistence/periodic_script.rb +++ b/modules/exploits/multi/persistence/periodic_script.rb @@ -63,9 +63,9 @@ def initialize(info = {}) def check periodic = "/etc/periodic/#{datastore['PERIODIC_DIR']}/" - return CheckCode::Vulnerable "#{periodic} is writable" if writable? periodic + return CheckCode::Vulnerable("#{periodic} is writable") if writable? periodic - CheckCode::Safe "Unable to write to #{periodic}" + CheckCode::Safe("Unable to write to #{periodic}") end def write_periodic_script(payload_content) diff --git a/modules/exploits/multi/php/ignition_laravel_debug_rce.rb b/modules/exploits/multi/php/ignition_laravel_debug_rce.rb index 77a51e75aca68..cbf4f95e6dd80 100644 --- a/modules/exploits/multi/php/ignition_laravel_debug_rce.rb +++ b/modules/exploits/multi/php/ignition_laravel_debug_rce.rb @@ -85,9 +85,9 @@ def check # to be sure that it is vulnerable we could try to cleanup the log files (invalid and valid) # but it is way more intrusive than just checking the version moreover we would need to call # the find_log_file method before, meaning four requests more. - return Exploit::CheckCode::Appears if version <= Rex::Version.new('8.26.1') + return Exploit::CheckCode::Appears("Laravel #{version} with Ignition appears vulnerable") if version <= Rex::Version.new('8.26.1') end - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Safe('Target does not appear to be running Laravel with Ignition') end def exploit diff --git a/modules/exploits/multi/php/jorani_path_trav.rb b/modules/exploits/multi/php/jorani_path_trav.rb index cc68d1d6dd3d9..3d55f03e56d4d 100644 --- a/modules/exploits/multi/php/jorani_path_trav.rb +++ b/modules/exploits/multi/php/jorani_path_trav.rb @@ -95,19 +95,19 @@ def check return Exploit::CheckCode::Safe('There was a problem accessing the login page') end - return Exploit::CheckCode::Safe unless service_running(res) + return Exploit::CheckCode::Safe('Target service is not running') unless service_running(res) print_good('Jorani seems to be running on the target!') current_version = get_version(res) - return Exploit::CheckCode::Detected if current_version.nil? + return Exploit::CheckCode::Detected('Jorani detected but could not determine version') if current_version.nil? print_good("Found version: #{current_version}") current_version = Rex::Version.new(current_version) - return Exploit::CheckCode::Appears if current_version < Rex::Version.new('1.0.2') + return Exploit::CheckCode::Appears("Jorani version #{current_version} is vulnerable") if current_version < Rex::Version.new('1.0.2') - Exploit::CheckCode::Safe + Exploit::CheckCode::Safe("Jorani version #{current_version} is not vulnerable") end def exploit diff --git a/modules/exploits/multi/php/php_unserialize_zval_cookie.rb b/modules/exploits/multi/php/php_unserialize_zval_cookie.rb index 2207722ff265f..a1bf479fe8623 100644 --- a/modules/exploits/multi/php/php_unserialize_zval_cookie.rb +++ b/modules/exploits/multi/php/php_unserialize_zval_cookie.rb @@ -238,14 +238,14 @@ def check if (!res) vprint_status('No response from the server') - return Exploit::CheckCode::Unknown # User should try again + return Exploit::CheckCode::Unknown('No response from target, user should try again') end http_fingerprint({ response: res }) # check method if (res.code != 200) vprint_status("The server returned #{res.code} #{res.message}") - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Safe('Server returned non-200 response') end if ( @@ -261,7 +261,7 @@ def check php_bug = true else vprint_status("The server runs a non-vulnerable version of PHP (#{php_raw})") - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Safe("Non-vulnerable PHP version #{php_raw} detected") end end @@ -279,7 +279,7 @@ def check end - return php_bug ? Exploit::CheckCode::Appears : Exploit::CheckCode::Detected + return php_bug ? Exploit::CheckCode::Appears('Vulnerable PHP version detected') : Exploit::CheckCode::Detected('PHP detected but version may not be vulnerable') end def brute_exploit(target_addrs) diff --git a/modules/exploits/multi/php/wp_duplicator_code_inject.rb b/modules/exploits/multi/php/wp_duplicator_code_inject.rb index 5009a2358705c..86ba0af389711 100644 --- a/modules/exploits/multi/php/wp_duplicator_code_inject.rb +++ b/modules/exploits/multi/php/wp_duplicator_code_inject.rb @@ -74,20 +74,25 @@ def check unless response vprint_error 'Connection failed' - return CheckCode::Unknown + return CheckCode::Unknown('Connection failed') end unless response.code == 200 vprint_error("Server responded with #{response.code}") - return CheckCode::Safe + return CheckCode::Safe("Server responded with #{response.code}") end # check_plugin_version_from_readme('duplicator', '1.2.42') - version = response.body.to_s.scan(/version: ([^<]*)= Rex::Version.new('8.0.0') && version <= Rex::Version.new('8.0.7') - return Exploit::CheckCode::Appears + return Exploit::CheckCode::Appears("Inductive Automation Ignition version #{version} appears vulnerable") else - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Safe("Inductive Automation Ignition version #{version} is not vulnerable") end end