additional code review improvements for xnode auxiliary modules/lib/docs

2024-07-18 18:31:41 +02:00 · 2022-07-28 15:12:00 +03:00 · 2022-07-28 15:12:00 +03:00 · d6dabd4bfb
commit d6dabd4bfb
parent c6c745c633
7 changed files with 34 additions and 46 deletions
--- a/data/exploits/manageengine_xnode/CVE-2020-11532/datasecurity_plus_xnode_conf.yaml
+++ b/data/exploits/manageengine_xnode/CVE-2020-11532/datasecurity_plus_xnode_conf.yaml
@ -1,13 +1,4 @@
 ---
-# DSPEmailAuditAttachments:
-# - UNIQUE_ID
-# - TIME_GENERATED
-# - ATTACHMENT_ID
-# - ATTACHMENT_FILE_NAME
-# - ATTACHMENT_FILE_TYPE
-# - ATTACHMENT_CLASSIFICATION_VALUE
-# - ATTACHMENT_CLASSIFICATION
-# - ATTACHMENT_FILE_SIZE
 DSPEmailAuditReport:
 - UNIQUE_ID
 - TIME_GENERATED
@ -266,10 +257,3 @@ RAIncidents:
 # - USER_SCORE
 # - SCORE_DESCRIPTION
 # - ENTITY_ID
-# RAViolationRecords:
-# - INCIDENT_ID
-# - TIME_GENERATED
-# - RULE_ID
-# - RULE_NAME
-# - VIOLATION_TEXT
-# - DISPLAY_TEXT
--- a/documentation/modules/auxiliary/gather/manageengine_adaudit_plus_xnode_enum.md
+++ b/documentation/modules/auxiliary/gather/manageengine_adaudit_plus_xnode_enum.md
@ -1,6 +1,6 @@
 ## Vulnerable Application
 The module exploits default admin credentials for the DataEngine Xnode server in ADAudit Plus versions prior to 6.0.3 (6032)
-in order to dump the contents of Xnode data repositories (tables), which may contain (a limited amount of) Active Directory information
+in order to dump the contents of Xnode data repositories (tables), which may contain varying amounts of Active Directory information
 including domain names, host names, usernames and SIDs.
 The module can also be used against patched ADAudit Plus versions if the correct credentials are provided.

--- a/documentation/modules/auxiliary/gather/manageengine_datasecurity_plus_xnode_enum.md
+++ b/documentation/modules/auxiliary/gather/manageengine_datasecurity_plus_xnode_enum.md
@ -1,6 +1,6 @@
 ## Vulnerable Application
 The module exploits default admin credentials for the DataEngine Xnode server in DataSecurity Plus versions prior to 6.0.1 (6011)
-in order to dump the contents of Xnode data repositories (tables), which may contain (a limited amount of) Active Directory information
+in order to dump the contents of Xnode data repositories (tables), which may contain varying amounts of Active Directory information
 including domain names, host names, usernames and SIDs.
 The module can also be used against patched DataSecurity Plus versions if the correct credentials are provided.

--- a/lib/msf/core/auxiliary/manage_engine_xnode/config.rb
+++ b/lib/msf/core/auxiliary/manage_engine_xnode/config.rb
@ -18,7 +18,8 @@ module Msf::Auxiliary::ManageEngineXnode::Config
      config_contents = File.read(config_file)
      data_to_dump = YAML.safe_load((config_contents))
    rescue StandardError => e
-      print_error("Encountered the following error while trying to load #{config_file}:\n#{e.to_s}")
+      print_error("Encountered the following error while trying to load #{config_file}:")
+      print_error(e.to_s)
      return 2      
    end

--- a/lib/msf/core/auxiliary/manage_engine_xnode/interact.rb
+++ b/lib/msf/core/auxiliary/manage_engine_xnode/interact.rb
@ -40,7 +40,8 @@ module Msf::Auxiliary::ManageEngineXnode::Interact
      # sock.recv won't work either since the message length can be (and often is) larger than the max of 65535
      r = sock.get
    rescue StandardError => e
-      print_error("Encountered the following error while trying to interact with the Xnode server:\n#{e.to_s}")
+      print_error("Encountered the following error while trying to interact with the Xnode server:")
+      print_error(e.to_s)
      return nil
    end

--- a/modules/auxiliary/gather/manageengine_adaudit_plus_xnode_enum.rb
+++ b/modules/auxiliary/gather/manageengine_adaudit_plus_xnode_enum.rb
@ -199,29 +199,30 @@ class MetasploitModule < Msf::Auxiliary
      results = []
      print_status("Attempting to request #{total_hits} records for data repository #{repo} between IDs #{id_range_lower} and #{max_id}. This could take a while...")
      hit_upper_limit = false
-      loop do
+      until hit_upper_limit
        # build a custom query for the unique_id range
        custom_query = { 'query' => "UNIQUE_ID:[#{id_range_lower} TO #{id_range_upper}]" }
        query = action_dr_search(repo, fields, custom_query)
        res_code, res = get_response(@sock, query)
        partial_results = process_dr_search(res, res_code, repo, fields)
+        results += partial_results unless partial_results.nil?
+
        query_ct += 1
        if query_ct % 25 == 0
          print_status("Processed #{query_ct} queries (max 10 records per query) so far. The last queried record ID was #{id_range_upper}. The max ID is #{max_id}...")
        end
-        id_range_lower += 10
-        id_range_upper += 10
-        if id_range_upper > max_id
-          if hit_upper_limit
-            results += partial_results unless partial_results.nil?
-            break
-          end
-          hit_upper_limit = true
-          id_range_upper = max_id
-        end
-        next if partial_results.nil?

-        results += partial_results
+        # check if we have already queried the record with the maximum ID value, if so, we're done
+        if id_range_upper == max_id
+          hit_upper_limit = true
+        else
+          id_range_lower += 10
+          id_range_upper += 10
+          # make sure that id_range_upper never exceeds the maximum ID value
+          if id_range_upper > max_id
+            id_range_upper = max_id
+          end
+        end
      end

      if results.empty?
--- a/modules/auxiliary/gather/manageengine_datasecurity_plus_xnode_enum.rb
+++ b/modules/auxiliary/gather/manageengine_datasecurity_plus_xnode_enum.rb
@ -198,29 +198,30 @@ class MetasploitModule < Msf::Auxiliary
      results = []
      print_status("Attempting to request #{total_hits} records for data repository #{repo} between IDs #{id_range_lower} and #{max_id}. This could take a while...")
      hit_upper_limit = false
-      loop do
+      until hit_upper_limit
        # build a custom query for the unique_id range
        custom_query = { 'query' => "UNIQUE_ID:[#{id_range_lower} TO #{id_range_upper}]" }
        query = action_dr_search(repo, fields, custom_query)
        res_code, res = get_response(@sock, query)
        partial_results = process_dr_search(res, res_code, repo, fields)
+        results += partial_results unless partial_results.nil?
+
        query_ct += 1
        if query_ct % 25 == 0
          print_status("Processed #{query_ct} queries (max 10 records per query) so far. The last queried record ID was #{id_range_upper}. The max ID is #{max_id}...")
        end
-        id_range_lower += 10
-        id_range_upper += 10
-        if id_range_upper > max_id
-          if hit_upper_limit
-            results += partial_results unless partial_results.nil?
-            break
-          end
-          hit_upper_limit = true
-          id_range_upper = max_id
-        end
-        next if partial_results.nil?

-        results += partial_results
+        # check if we have already queried the record with the maximum ID value, if so, we're done
+        if id_range_upper == max_id
+          hit_upper_limit = true
+        else
+          id_range_lower += 10
+          id_range_upper += 10
+          # make sure that id_range_upper never exceeds the maximum ID value
+          if id_range_upper > max_id
+            id_range_upper = max_id
+          end
+        end
      end

      if results.empty?