From d6dabd4bfb9ea81aa08174077e4a63c312f072a0 Mon Sep 17 00:00:00 2001 From: ErikWynter Date: Thu, 28 Jul 2022 15:12:00 +0300 Subject: [PATCH] additional code review improvements for xnode auxiliary modules/lib/docs --- .../datasecurity_plus_xnode_conf.yaml | 16 ----------- .../manageengine_adaudit_plus_xnode_enum.md | 2 +- ...nageengine_datasecurity_plus_xnode_enum.md | 2 +- .../auxiliary/manage_engine_xnode/config.rb | 3 ++- .../auxiliary/manage_engine_xnode/interact.rb | 3 ++- .../manageengine_adaudit_plus_xnode_enum.rb | 27 ++++++++++--------- ...nageengine_datasecurity_plus_xnode_enum.rb | 27 ++++++++++--------- 7 files changed, 34 insertions(+), 46 deletions(-) diff --git a/data/exploits/manageengine_xnode/CVE-2020-11532/datasecurity_plus_xnode_conf.yaml b/data/exploits/manageengine_xnode/CVE-2020-11532/datasecurity_plus_xnode_conf.yaml index c6688d38ca..d1e77ae813 100644 --- a/data/exploits/manageengine_xnode/CVE-2020-11532/datasecurity_plus_xnode_conf.yaml +++ b/data/exploits/manageengine_xnode/CVE-2020-11532/datasecurity_plus_xnode_conf.yaml @@ -1,13 +1,4 @@ --- -# DSPEmailAuditAttachments: -# - UNIQUE_ID -# - TIME_GENERATED -# - ATTACHMENT_ID -# - ATTACHMENT_FILE_NAME -# - ATTACHMENT_FILE_TYPE -# - ATTACHMENT_CLASSIFICATION_VALUE -# - ATTACHMENT_CLASSIFICATION -# - ATTACHMENT_FILE_SIZE DSPEmailAuditReport: - UNIQUE_ID - TIME_GENERATED @@ -266,10 +257,3 @@ RAIncidents: # - USER_SCORE # - SCORE_DESCRIPTION # - ENTITY_ID -# RAViolationRecords: -# - INCIDENT_ID -# - TIME_GENERATED -# - RULE_ID -# - RULE_NAME -# - VIOLATION_TEXT -# - DISPLAY_TEXT diff --git a/documentation/modules/auxiliary/gather/manageengine_adaudit_plus_xnode_enum.md b/documentation/modules/auxiliary/gather/manageengine_adaudit_plus_xnode_enum.md index 2dc3bea664..4f59589d63 100644 --- a/documentation/modules/auxiliary/gather/manageengine_adaudit_plus_xnode_enum.md +++ b/documentation/modules/auxiliary/gather/manageengine_adaudit_plus_xnode_enum.md @@ -1,6 +1,6 @@ ## Vulnerable Application The module exploits default admin credentials for the DataEngine Xnode server in ADAudit Plus versions prior to 6.0.3 (6032) -in order to dump the contents of Xnode data repositories (tables), which may contain (a limited amount of) Active Directory information +in order to dump the contents of Xnode data repositories (tables), which may contain varying amounts of Active Directory information including domain names, host names, usernames and SIDs. The module can also be used against patched ADAudit Plus versions if the correct credentials are provided. diff --git a/documentation/modules/auxiliary/gather/manageengine_datasecurity_plus_xnode_enum.md b/documentation/modules/auxiliary/gather/manageengine_datasecurity_plus_xnode_enum.md index a7d94f0f2a..efa62dfc3c 100644 --- a/documentation/modules/auxiliary/gather/manageengine_datasecurity_plus_xnode_enum.md +++ b/documentation/modules/auxiliary/gather/manageengine_datasecurity_plus_xnode_enum.md @@ -1,6 +1,6 @@ ## Vulnerable Application The module exploits default admin credentials for the DataEngine Xnode server in DataSecurity Plus versions prior to 6.0.1 (6011) -in order to dump the contents of Xnode data repositories (tables), which may contain (a limited amount of) Active Directory information +in order to dump the contents of Xnode data repositories (tables), which may contain varying amounts of Active Directory information including domain names, host names, usernames and SIDs. The module can also be used against patched DataSecurity Plus versions if the correct credentials are provided. diff --git a/lib/msf/core/auxiliary/manage_engine_xnode/config.rb b/lib/msf/core/auxiliary/manage_engine_xnode/config.rb index a7a14f80e0..5c2097b15b 100644 --- a/lib/msf/core/auxiliary/manage_engine_xnode/config.rb +++ b/lib/msf/core/auxiliary/manage_engine_xnode/config.rb @@ -18,7 +18,8 @@ module Msf::Auxiliary::ManageEngineXnode::Config config_contents = File.read(config_file) data_to_dump = YAML.safe_load((config_contents)) rescue StandardError => e - print_error("Encountered the following error while trying to load #{config_file}:\n#{e.to_s}") + print_error("Encountered the following error while trying to load #{config_file}:") + print_error(e.to_s) return 2 end diff --git a/lib/msf/core/auxiliary/manage_engine_xnode/interact.rb b/lib/msf/core/auxiliary/manage_engine_xnode/interact.rb index 5458f29566..106ad822a5 100644 --- a/lib/msf/core/auxiliary/manage_engine_xnode/interact.rb +++ b/lib/msf/core/auxiliary/manage_engine_xnode/interact.rb @@ -40,7 +40,8 @@ module Msf::Auxiliary::ManageEngineXnode::Interact # sock.recv won't work either since the message length can be (and often is) larger than the max of 65535 r = sock.get rescue StandardError => e - print_error("Encountered the following error while trying to interact with the Xnode server:\n#{e.to_s}") + print_error("Encountered the following error while trying to interact with the Xnode server:") + print_error(e.to_s) return nil end diff --git a/modules/auxiliary/gather/manageengine_adaudit_plus_xnode_enum.rb b/modules/auxiliary/gather/manageengine_adaudit_plus_xnode_enum.rb index 1e7b06ef40..c671b2146c 100644 --- a/modules/auxiliary/gather/manageengine_adaudit_plus_xnode_enum.rb +++ b/modules/auxiliary/gather/manageengine_adaudit_plus_xnode_enum.rb @@ -199,29 +199,30 @@ class MetasploitModule < Msf::Auxiliary results = [] print_status("Attempting to request #{total_hits} records for data repository #{repo} between IDs #{id_range_lower} and #{max_id}. This could take a while...") hit_upper_limit = false - loop do + until hit_upper_limit # build a custom query for the unique_id range custom_query = { 'query' => "UNIQUE_ID:[#{id_range_lower} TO #{id_range_upper}]" } query = action_dr_search(repo, fields, custom_query) res_code, res = get_response(@sock, query) partial_results = process_dr_search(res, res_code, repo, fields) + results += partial_results unless partial_results.nil? + query_ct += 1 if query_ct % 25 == 0 print_status("Processed #{query_ct} queries (max 10 records per query) so far. The last queried record ID was #{id_range_upper}. The max ID is #{max_id}...") end - id_range_lower += 10 - id_range_upper += 10 - if id_range_upper > max_id - if hit_upper_limit - results += partial_results unless partial_results.nil? - break - end - hit_upper_limit = true - id_range_upper = max_id - end - next if partial_results.nil? - results += partial_results + # check if we have already queried the record with the maximum ID value, if so, we're done + if id_range_upper == max_id + hit_upper_limit = true + else + id_range_lower += 10 + id_range_upper += 10 + # make sure that id_range_upper never exceeds the maximum ID value + if id_range_upper > max_id + id_range_upper = max_id + end + end end if results.empty? diff --git a/modules/auxiliary/gather/manageengine_datasecurity_plus_xnode_enum.rb b/modules/auxiliary/gather/manageengine_datasecurity_plus_xnode_enum.rb index 31d1bbcace..55dc123213 100644 --- a/modules/auxiliary/gather/manageengine_datasecurity_plus_xnode_enum.rb +++ b/modules/auxiliary/gather/manageengine_datasecurity_plus_xnode_enum.rb @@ -198,29 +198,30 @@ class MetasploitModule < Msf::Auxiliary results = [] print_status("Attempting to request #{total_hits} records for data repository #{repo} between IDs #{id_range_lower} and #{max_id}. This could take a while...") hit_upper_limit = false - loop do + until hit_upper_limit # build a custom query for the unique_id range custom_query = { 'query' => "UNIQUE_ID:[#{id_range_lower} TO #{id_range_upper}]" } query = action_dr_search(repo, fields, custom_query) res_code, res = get_response(@sock, query) partial_results = process_dr_search(res, res_code, repo, fields) + results += partial_results unless partial_results.nil? + query_ct += 1 if query_ct % 25 == 0 print_status("Processed #{query_ct} queries (max 10 records per query) so far. The last queried record ID was #{id_range_upper}. The max ID is #{max_id}...") end - id_range_lower += 10 - id_range_upper += 10 - if id_range_upper > max_id - if hit_upper_limit - results += partial_results unless partial_results.nil? - break - end - hit_upper_limit = true - id_range_upper = max_id - end - next if partial_results.nil? - results += partial_results + # check if we have already queried the record with the maximum ID value, if so, we're done + if id_range_upper == max_id + hit_upper_limit = true + else + id_range_lower += 10 + id_range_upper += 10 + # make sure that id_range_upper never exceeds the maximum ID value + if id_range_upper > max_id + id_range_upper = max_id + end + end end if results.empty?