From d7712d8d5aaa72a59929e67ea44f7efe84db962b Mon Sep 17 00:00:00 2001 From: Valentin Lobstein Date: Fri, 28 Nov 2025 23:57:33 +0100 Subject: [PATCH 1/2] Separate SSL and SRVSSL options for client and server connections --- .../modules/auxiliary/server/capture/ftp.md | 11 +++++----- .../auxiliary/server/capture/http_basic.md | 11 +++++----- .../modules/auxiliary/server/capture/imap.md | 11 +++++----- .../modules/auxiliary/server/capture/mysql.md | 4 ++-- .../auxiliary/server/capture/postgresql.md | 4 ++-- .../auxiliary/server/capture/telnet.md | 4 ++-- .../modules/auxiliary/server/capture/vnc.md | 4 ++-- lib/msf/core/exploit/remote/http_server.rb | 20 ++++++++++--------- lib/msf/core/exploit/remote/socket_server.rb | 1 + lib/msf/core/exploit/remote/tcp_server.rb | 6 +++--- .../google_play_store_uxss_xframe_rce.rb | 2 +- .../apple_safari_ftp_url_cookie_theft.rb | 4 ++-- .../gather/firefox_pdfjs_file_theft.rb | 2 +- .../gather/magento_xxe_cve_2024_34102.rb | 2 +- .../gather/safari_file_url_navigation.rb | 2 +- .../server/android_mercury_parseuri.rb | 2 +- .../capture/http_javascript_keylogger.rb | 2 +- .../linux/http/chaos_rat_xss_to_rce.rb | 4 ++-- .../linux/http/craftcms_ftp_template.rb | 7 ------- .../http/dlink_diagnostic_exec_noauth.rb | 2 +- .../linux/http/dlink_dir615_up_exec.rb | 2 +- .../linux/http/dlink_hnap_login_bof.rb | 2 +- .../linux/http/ibm_qradar_unauth_rce.rb | 2 +- .../linux/http/linksys_e1500_apply_exec.rb | 2 +- .../linux/http/linksys_wrt54gl_apply_exec.rb | 2 +- .../http/magento_xxe_to_glibc_buf_overflow.rb | 2 +- .../linux/http/netgear_dgn1000b_setup_exec.rb | 2 +- .../linux/http/netgear_dgn2200b_pppoe_exec.rb | 2 +- .../exploits/linux/http/spark_unauth_rce.rb | 2 +- modules/exploits/linux/http/vestacp_exec.rb | 8 ++++---- .../exploits/linux/smtp/exim4_dovecot_exec.rb | 2 +- .../multi/http/bassmaster_js_injection.rb | 2 +- .../multi/http/jenkins_metaprogramming.rb | 7 ++----- .../multi/http/log4shell_header_injection.rb | 6 +++--- .../multi/http/monsta_ftp_downloadfile_rce.rb | 2 +- .../multi/http/mutiny_subnetmask_exec.rb | 2 +- .../http/rails_dynamic_render_code_exec.rb | 2 +- .../http/struts_default_action_mapper.rb | 2 +- ...ro_threat_discovery_admin_sys_time_cmdi.rb | 2 +- .../exploits/multi/misc/ibm_tm1_unauth_rce.rb | 2 +- .../multi/sap/sap_mgmt_con_osexec_payload.rb | 2 +- .../osx/browser/safari_file_policy.rb | 4 ++-- .../adobe_flashplayer_arrayindexing.rb | 2 +- .../browser/apple_quicktime_mime_type.rb | 2 +- .../windows/browser/apple_quicktime_rtsp.rb | 2 +- .../browser/apple_quicktime_smil_debug.rb | 2 +- .../apple_quicktime_texml_font_table.rb | 2 +- .../browser/foxit_reader_plugin_url_bof.rb | 2 +- .../browser/honeywell_hscremotedeploy_exec.rb | 2 +- .../windows/browser/msvidctl_mpeg2.rb | 2 +- .../browser/notes_handler_cmdinject.rb | 2 +- .../windows/fileformat/office_word_hta.rb | 2 +- .../windows/fileformat/word_msdtjs_rce.rb | 2 +- ...anageengine_adaudit_plus_cve_2022_28219.rb | 2 +- .../exploits/windows/misc/webdav_delivery.rb | 2 +- .../exploits/windows/novell/netiq_pum_eval.rb | 5 ++--- .../exploits/windows/nuuo/nuuo_cms_sqli.rb | 6 +++--- tools/dev/msftidy_docs.rb | 4 ++-- 58 files changed, 101 insertions(+), 106 deletions(-) diff --git a/documentation/modules/auxiliary/server/capture/ftp.md b/documentation/modules/auxiliary/server/capture/ftp.md index 3ae7c1208c669..164a2976a0af6 100644 --- a/documentation/modules/auxiliary/server/capture/ftp.md +++ b/documentation/modules/auxiliary/server/capture/ftp.md @@ -19,10 +19,11 @@ This module creates a mock FTP server which accepts credentials before throwing * `Serv-U FTP Server v15.0 ready...` * `ProFTPD 1.3.4a Server (FTP-Server)` -### SSL +### SRVSSL - Boolean if SSL should be used, making this FTPS. FTPS is typically run on port 990. If `SSLCert` is not set, a certificate - will be automatically generated. Default is `False`. + Boolean if SSL/TLS should be used for the server, making this FTPS. FTPS is typically run on port 990. If `SSLCert` is not set, + a certificate will be automatically generated. Default is `False`. Note: This option is separate from the `SSL` option which + controls client connections. ### SSLCert @@ -147,8 +148,8 @@ mVuIIRbrDW/sOgu2Viis msf > use auxiliary/server/capture/ftp msf auxiliary(server/capture/ftp) > set srvport 990 srvport => 990 -msf auxiliary(server/capture/ftp) > set ssl true -ssl => true +msf auxiliary(server/capture/ftp) > set srvssl true +srvssl => true msf auxiliary(server/capture/ftp) > set sslcert /root/metasploit-framework/selfsigned.pem sslcert => /root/metasploit-framework/selfsigned.pem msf auxiliary(server/capture/ftp) > run diff --git a/documentation/modules/auxiliary/server/capture/http_basic.md b/documentation/modules/auxiliary/server/capture/http_basic.md index 68ba87ec52822..4a7dc9da69f18 100644 --- a/documentation/modules/auxiliary/server/capture/http_basic.md +++ b/documentation/modules/auxiliary/server/capture/http_basic.md @@ -23,10 +23,11 @@ This module creates a mock web server which, utilizing a HTTP 401 response, prom After the user enters a set of credentials, their browser will be redirected to this address. Default is ``. -### SSL +### SRVSSL - Boolean if SSL should be used, making this HTTPS. HTTPS is typically run on port 443. If `SSLCert` is not set, a certificate - will be automatically generated. Default is `False`. + Boolean if SSL/TLS should be used for the server, making this HTTPS. HTTPS is typically run on port 443. If `SSLCert` is not set, + a certificate will be automatically generated. Default is `False`. Note: This option is separate from the `SSL` option which + controls client connections. ### SSLCert @@ -156,8 +157,8 @@ Oj6N43ld9EONST6BhP3v1buoWHi1FMouocrUkUDuahiHoLlK4ERSUrb4uNnwko24 WdNCCmA8APA1qf2BYVqs -----END CERTIFICATE----- msf > use auxiliary/server/capture/http_basic -msf auxiliary(server/capture/http_basic) > set ssl true -ssl => true +msf auxiliary(server/capture/http_basic) > set srvssl true +srvssl => true msf auxiliary(server/capture/http_basic) > set srvport 443 srvport => 443 msf auxiliary(server/capture/http_basic) > set sslcert /root/metasploit-framework/selfsigned.pem diff --git a/documentation/modules/auxiliary/server/capture/imap.md b/documentation/modules/auxiliary/server/capture/imap.md index 4f2840e9d5675..7bd7bd6074ce6 100644 --- a/documentation/modules/auxiliary/server/capture/imap.md +++ b/documentation/modules/auxiliary/server/capture/imap.md @@ -20,10 +20,11 @@ This module creates a mock IMAP server which accepts credentials. * `The Microsoft Exchange IMAP4 service is ready.` * `Microsoft Exchange Server 2003 IMAP4rev1 server versino 6.5.7638.1 (domain.local) ready.` -### SSL +### SRVSSL - Boolean if SSL should be used, making this Secure IMAP. Secure IMAP is typically run on port 993. If `SSLCert` is not set, a certificate - will be automatically generated. Default is `False`. + Boolean if SSL/TLS should be used for the server, making this Secure IMAP. Secure IMAP is typically run on port 993. + If `SSLCert` is not set, a certificate will be automatically generated. Default is `False`. Note: This option is separate + from the `SSL` option which controls client connections. ### SSLCert @@ -144,8 +145,8 @@ l/m7Kka0n7lXnKo+IFSJ0dTooBvwaV7+4tEGuHxWJsNO+2aex9qFCuDUdBFxyWyK uBVlsY6F7EjTfWpxwyVP -----END CERTIFICATE----- msf > use auxiliary/server/capture/imap -msf auxiliary(server/capture/imap) > set ssl true -ssl => true +msf auxiliary(server/capture/imap) > set srvssl true +srvssl => true msf auxiliary(server/capture/imap) > set sslcert /root/metasploit-framework/selfsigned.pem sslcert => /root/metasploit-framework/selfsigned.pem msf auxiliary(server/capture/imap) > set srvport 993 diff --git a/documentation/modules/auxiliary/server/capture/mysql.md b/documentation/modules/auxiliary/server/capture/mysql.md index 38ceaa345d482..a10351942df1e 100644 --- a/documentation/modules/auxiliary/server/capture/mysql.md +++ b/documentation/modules/auxiliary/server/capture/mysql.md @@ -24,9 +24,9 @@ This module creates a mock MySQL server which accepts credentials. Upon receivi The MySQL version to print in the login banner. Default is `5.5.16`. -### SSL +### SRVSSL - Boolean if SSL should be used. Default is `False`. + Boolean if SSL/TLS should be used for the server. Default is `False`. Note: This option is separate from the `SSL` option which controls client connections. ### SSLCert diff --git a/documentation/modules/auxiliary/server/capture/postgresql.md b/documentation/modules/auxiliary/server/capture/postgresql.md index 01b3e640409b4..d77edd3307177 100644 --- a/documentation/modules/auxiliary/server/capture/postgresql.md +++ b/documentation/modules/auxiliary/server/capture/postgresql.md @@ -9,9 +9,9 @@ This module creates a mock PostgreSQL server which accepts credentials. Upon re ## Options -### SSL +### SRVSSL - Boolean if SSL should be used. Default is `False`. + Boolean if SSL/TLS should be used for the server. Default is `False`. Note: This option is separate from the `SSL` option which controls client connections. ### SSLCert diff --git a/documentation/modules/auxiliary/server/capture/telnet.md b/documentation/modules/auxiliary/server/capture/telnet.md index dc59cb07b5274..23900e817f078 100644 --- a/documentation/modules/auxiliary/server/capture/telnet.md +++ b/documentation/modules/auxiliary/server/capture/telnet.md @@ -12,9 +12,9 @@ This module creates a mock telnet server which accepts credentials. Upon receiv The Banner which should be displayed. Default is empty, which will display `Welcome`. -### SSL +### SRVSSL - Boolean if SSL should be used. Default is `False`. + Boolean if SSL/TLS should be used for the server. Default is `False`. Note: This option is separate from the `SSL` option which controls client connections. ### SSLCert diff --git a/documentation/modules/auxiliary/server/capture/vnc.md b/documentation/modules/auxiliary/server/capture/vnc.md index 3a5ec468b217e..7f3872f393d4a 100644 --- a/documentation/modules/auxiliary/server/capture/vnc.md +++ b/documentation/modules/auxiliary/server/capture/vnc.md @@ -16,9 +16,9 @@ This module creates a mock VNC server which accepts credentials. Upon receiving Write a file containing a John the Ripper format for cracking the credentials. Default is ``. -### SSL +### SRVSSL - Boolean if SSL should be used. Default is `False`. + Boolean if SSL/TLS should be used for the server. Default is `False`. Note: This option is separate from the `SSL` option which controls client connections. ### SSLCert diff --git a/lib/msf/core/exploit/remote/http_server.rb b/lib/msf/core/exploit/remote/http_server.rb index 4886640693d5a..d96ccb562f7ba 100644 --- a/lib/msf/core/exploit/remote/http_server.rb +++ b/lib/msf/core/exploit/remote/http_server.rb @@ -111,22 +111,23 @@ def check_dependencies # ServerPort => Override the server port to listen on (default to SRVPORT). # Uri => The URI to handle and the associated procedure to call. # - # - # TODO: This must be able to take an SSL parameter and not rely - # completely on the datastore. (See dlink_upnp_exec_noauth) + # SSL configuration for the server is controlled by the SRVSSL datastore option + # (separate from SSL which is used for client connections). The ssl() method + # returns the SRVSSL value, ensuring server and client SSL are independent. + # If opts['Ssl'] is provided, it will override the SRVSSL datastore option. def start_service(opts = {}) - # Keep compatibility with modules that don't pass the ssl option to the start server but rely on the datastore instead. - opts['ssl'] = opts['ssl'].nil? ? datastore['SSL'] : opts['ssl'] - check_dependencies + # Use opts['Ssl'] if provided, otherwise use the SRVSSL datastore option + server_ssl = opts.has_key?('Ssl') ? opts['Ssl'] : ssl + # Start a new HTTP server service. self.service = Rex::ServiceManager.start( Rex::Proto::Http::Server, (opts['ServerPort'] || bindport).to_i, opts['ServerHost'] || bindhost, - opts['ssl'], + server_ssl, { 'Msf' => framework, 'MsfExploit' => self, @@ -152,7 +153,7 @@ def start_service(opts = {}) 'Path' => opts['Path'] || resource_uri }.update(opts['Uri'] || {}) - proto = (opts['ssl'] ? "https" : "http") + proto = (server_ssl ? "https" : "http") # SSLCompression may or may not actually be available. For example, on # Ubuntu, it's disabled by default, unless the correct environment @@ -437,7 +438,8 @@ def get_uri(cli=self.cli) # The resource won't exist until the server is started return unless resource - ssl = !!(datastore["SSL"]) + # Use ssl() method which returns SRVSSL (separate from SSL for client connections) + ssl = !!ssl() proto = (ssl ? "https://" : "http://") if datastore['URIHOST'] host = datastore['URIHOST'] diff --git a/lib/msf/core/exploit/remote/socket_server.rb b/lib/msf/core/exploit/remote/socket_server.rb index f034b95027993..69433ea7f9ebd 100644 --- a/lib/msf/core/exploit/remote/socket_server.rb +++ b/lib/msf/core/exploit/remote/socket_server.rb @@ -20,6 +20,7 @@ def initialize(info = {}) [ OptAddressLocal.new('SRVHOST', [ true, 'The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.', '0.0.0.0' ]), OptPort.new('SRVPORT', [ true, "The local port to listen on.", 8080 ]), + OptBool.new('SRVSSL', [ false, 'Negotiate SSL/TLS for the server (overrides SSL option for server-side connections)', false]) ], Msf::Exploit::Remote::SocketServer ) diff --git a/lib/msf/core/exploit/remote/tcp_server.rb b/lib/msf/core/exploit/remote/tcp_server.rb index 53ba06875e259..00e1e69f1ae58 100644 --- a/lib/msf/core/exploit/remote/tcp_server.rb +++ b/lib/msf/core/exploit/remote/tcp_server.rb @@ -18,7 +18,6 @@ def initialize(info = {}) register_options( [ - OptBool.new('SSL', [ false, 'Negotiate SSL for incoming connections', false]), # SSLVersion is currently unsupported for TCP servers (only supported by clients at the moment) OptPath.new('SSLCert', [ false, 'Path to a custom SSL certificate (default is randomly generated)']) ], Msf::Exploit::Remote::TcpServer @@ -111,10 +110,11 @@ def start_service(opts = {}) end # - # Returns the SSL option + # Returns the SSL option for the server + # Uses SRVSSL which is separate from the SSL option (for client connections) # def ssl - datastore['SSL'] + datastore['SRVSSL'] end # diff --git a/modules/auxiliary/admin/android/google_play_store_uxss_xframe_rce.rb b/modules/auxiliary/admin/android/google_play_store_uxss_xframe_rce.rb index 72919757cb8ca..5f23fc06e4410 100644 --- a/modules/auxiliary/admin/android/google_play_store_uxss_xframe_rce.rb +++ b/modules/auxiliary/admin/android/google_play_store_uxss_xframe_rce.rb @@ -176,7 +176,7 @@ def hidden_css end def backend_url - proto = (datastore['SSL'] ? 'https' : 'http') + proto = (datastore['SRVSSL'] ? 'https' : 'http') myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST'] port_str = (datastore['SRVPORT'].to_i == 80) ? '' : ":#{datastore['SRVPORT']}" "#{proto}://#{myhost}#{port_str}/#{datastore['URIPATH']}/catch" diff --git a/modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb b/modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb index 2e35b3c9ffd3e..c934d9fef66ce 100644 --- a/modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb +++ b/modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb @@ -87,7 +87,7 @@ def start_http(opts = {}) Rex::Proto::Http::Server, opts['ServerPort'].to_i, opts['ServerHost'], - datastore['SSL'], + datastore['SRVSSL'], { 'Msf' => framework, 'MsfExploit' => self, @@ -107,7 +107,7 @@ def start_http(opts = {}) 'Path' => resource_uri }.update(opts['Uri'] || {}) - proto = (datastore['SSL'] ? 'https' : 'http') + proto = (datastore['SRVSSL'] ? 'https' : 'http') print_status("Using URL: #{proto}://#{opts['ServerHost']}:#{opts['ServerPort']}#{uopts['Path']}") if opts['ServerHost'] == '0.0.0.0' diff --git a/modules/auxiliary/gather/firefox_pdfjs_file_theft.rb b/modules/auxiliary/gather/firefox_pdfjs_file_theft.rb index 3cfad645eee85..4645a8c451348 100644 --- a/modules/auxiliary/gather/firefox_pdfjs_file_theft.rb +++ b/modules/auxiliary/gather/firefox_pdfjs_file_theft.rb @@ -92,7 +92,7 @@ def html end def backend_url - proto = (datastore['SSL'] ? 'https' : 'http') + proto = (datastore['SRVSSL'] ? 'https' : 'http') my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST'] port_str = (datastore['SRVPORT'].to_i == 80) ? '' : ":#{datastore['SRVPORT']}" resource = ('/' == get_resource[-1, 1]) ? get_resource[0, get_resource.length - 1] : get_resource diff --git a/modules/auxiliary/gather/magento_xxe_cve_2024_34102.rb b/modules/auxiliary/gather/magento_xxe_cve_2024_34102.rb index f30a057404c4b..cd028742abed8 100644 --- a/modules/auxiliary/gather/magento_xxe_cve_2024_34102.rb +++ b/modules/auxiliary/gather/magento_xxe_cve_2024_34102.rb @@ -161,7 +161,7 @@ def run end, 'Path' => '/' }, - 'ssl' => false + 'Ssl' => false }) xxe_request diff --git a/modules/auxiliary/gather/safari_file_url_navigation.rb b/modules/auxiliary/gather/safari_file_url_navigation.rb index 225b1cff03c24..f226aa705008e 100644 --- a/modules/auxiliary/gather/safari_file_url_navigation.rb +++ b/modules/auxiliary/gather/safari_file_url_navigation.rb @@ -241,7 +241,7 @@ def start_http(opts = {}) Rex::Proto::Http::Server, opts['ServerPort'].to_i, opts['ServerHost'], - datastore['SSL'], + datastore['SRVSSL'], { 'Msf' => framework, 'MsfExploit' => self, diff --git a/modules/auxiliary/server/android_mercury_parseuri.rb b/modules/auxiliary/server/android_mercury_parseuri.rb index db58870d5ba78..4ed7314554db0 100644 --- a/modules/auxiliary/server/android_mercury_parseuri.rb +++ b/modules/auxiliary/server/android_mercury_parseuri.rb @@ -71,7 +71,7 @@ def get_html end def backend_url - proto = (datastore['SSL'] ? 'https' : 'http') + proto = (datastore['SRVSSL'] ? 'https' : 'http') my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST'] port_str = (datastore['SRVPORT'].to_i == 80) ? '' : ":#{datastore['SRVPORT']}" resource = ('/' == get_resource[-1, 1]) ? get_resource[0, get_resource.length - 1] : get_resource diff --git a/modules/auxiliary/server/capture/http_javascript_keylogger.rb b/modules/auxiliary/server/capture/http_javascript_keylogger.rb index 5067e3acfb274..d968f0f77e9cd 100644 --- a/modules/auxiliary/server/capture/http_javascript_keylogger.rb +++ b/modules/auxiliary/server/capture/http_javascript_keylogger.rb @@ -123,7 +123,7 @@ def generate_base_url(cli, req) port = datastore['SRVPORT'].to_i end - prot = !datastore['SSL'].nil? ? 'https://' : 'http://' + prot = datastore['SRVSSL'] ? 'https://' : 'http://' if Rex::Socket.is_ipv6?(host) host = "[#{host}]" end diff --git a/modules/exploits/linux/http/chaos_rat_xss_to_rce.rb b/modules/exploits/linux/http/chaos_rat_xss_to_rce.rb index bc696c880e64a..9771a7da64b89 100644 --- a/modules/exploits/linux/http/chaos_rat_xss_to_rce.rb +++ b/modules/exploits/linux/http/chaos_rat_xss_to_rce.rb @@ -282,7 +282,7 @@ def start_http_service(opts = {}) Rex::Proto::Http::Server, (opts['ServerPort'] || bindport).to_i, opts['ServerHost'] || bindhost, - datastore['SSL'], + datastore['SRVSSL'], { 'Msf' => framework, 'MsfExploit' => self @@ -300,7 +300,7 @@ def start_http_service(opts = {}) 'Proc' => method(:on_request_uri), 'Path' => resource_uri }.update(opts['Uri'] || {}) - proto = (datastore['SSL'] ? 'https' : 'http') + proto = (datastore['SRVSSL'] ? 'https' : 'http') netloc = opts['ServerHost'] || bindhost http_srvport = (opts['ServerPort'] || bindport).to_i diff --git a/modules/exploits/linux/http/craftcms_ftp_template.rb b/modules/exploits/linux/http/craftcms_ftp_template.rb index e52d9ab1225d9..e41565fd963fa 100644 --- a/modules/exploits/linux/http/craftcms_ftp_template.rb +++ b/modules/exploits/linux/http/craftcms_ftp_template.rb @@ -201,14 +201,7 @@ def trigger_http_request end def start_ftp_service - if datastore['SSL'] == true - reset_ssl = true - datastore['SSL'] = false - end start_service - if reset_ssl - datastore['SSL'] = true - end end def exploit diff --git a/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb b/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb index 2bc7d7d1e35dc..ea52c918ae779 100644 --- a/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb +++ b/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb @@ -147,7 +147,7 @@ def exploit }, 'Path' => resource_uri }, - 'ssl' => false # do not use SSL + 'Ssl' => false }) end diff --git a/modules/exploits/linux/http/dlink_dir615_up_exec.rb b/modules/exploits/linux/http/dlink_dir615_up_exec.rb index 63919d006fcdb..a1229e4fd31e1 100644 --- a/modules/exploits/linux/http/dlink_dir615_up_exec.rb +++ b/modules/exploits/linux/http/dlink_dir615_up_exec.rb @@ -178,7 +178,7 @@ def exploit }, 'Path' => resource_uri }, - 'ssl' => false # do not use SSL + 'Ssl' => false }) end diff --git a/modules/exploits/linux/http/dlink_hnap_login_bof.rb b/modules/exploits/linux/http/dlink_hnap_login_bof.rb index 7674f164a0fe7..e88973b8cd037 100644 --- a/modules/exploits/linux/http/dlink_hnap_login_bof.rb +++ b/modules/exploits/linux/http/dlink_hnap_login_bof.rb @@ -277,7 +277,7 @@ def exploit }, 'Path' => resource_uri }, - 'ssl' => false # do not use SSL + 'Ssl' => false }) print_status("#{peer} - Asking the device to download and execute #{service_url}") diff --git a/modules/exploits/linux/http/ibm_qradar_unauth_rce.rb b/modules/exploits/linux/http/ibm_qradar_unauth_rce.rb index d492583774726..065f7a97afce9 100644 --- a/modules/exploits/linux/http/ibm_qradar_unauth_rce.rb +++ b/modules/exploits/linux/http/ibm_qradar_unauth_rce.rb @@ -152,7 +152,7 @@ def exploit srv_host = datastore['SRVHOST'] end - http_service = (datastore['SSL'] ? 'https://' : 'http://') + srv_host + ':' + datastore['SRVPORT'].to_s + http_service = (datastore['SRVSSL'] ? 'https://' : 'http://') + srv_host + ':' + datastore['SRVPORT'].to_s service_uri = http_service + '/' + @payload_name print_status("#{peer} - Starting up our web service on #{http_service} ...") diff --git a/modules/exploits/linux/http/linksys_e1500_apply_exec.rb b/modules/exploits/linux/http/linksys_e1500_apply_exec.rb index 9b1b327b8e147..e8d05d97548e1 100644 --- a/modules/exploits/linux/http/linksys_e1500_apply_exec.rb +++ b/modules/exploits/linux/http/linksys_e1500_apply_exec.rb @@ -176,7 +176,7 @@ def exploit }, 'Path' => resource_uri }, - 'ssl' => false # do not use SSL + 'Ssl' => false }) end diff --git a/modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb b/modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb index e36fe532d2823..fc25dbf7b06c9 100644 --- a/modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb +++ b/modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb @@ -327,7 +327,7 @@ def exploit }, 'Path' => resource_uri }, - 'ssl' => false # do not use SSL + 'Ssl' => false }) end diff --git a/modules/exploits/linux/http/magento_xxe_to_glibc_buf_overflow.rb b/modules/exploits/linux/http/magento_xxe_to_glibc_buf_overflow.rb index 04a589ed635aa..ac4846515f527 100644 --- a/modules/exploits/linux/http/magento_xxe_to_glibc_buf_overflow.rb +++ b/modules/exploits/linux/http/magento_xxe_to_glibc_buf_overflow.rb @@ -571,7 +571,7 @@ def setup_module end, 'Path' => '/' }, - 'ssl' => false + 'Ssl' => false }) print_status('Server started') end diff --git a/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb b/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb index 0257ca3dd1fe8..f158526157bcb 100644 --- a/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb +++ b/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb @@ -181,7 +181,7 @@ def exploit }, 'Path' => resource_uri }, - 'ssl' => false # do not use SSL + 'Ssl' => false }) end diff --git a/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb b/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb index 15e44d14d1917..01a5bda676570 100644 --- a/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb +++ b/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb @@ -296,7 +296,7 @@ def exploit }, 'Path' => resource_uri }, - 'ssl' => false # do not use SSL + 'Ssl' => false }) end diff --git a/modules/exploits/linux/http/spark_unauth_rce.rb b/modules/exploits/linux/http/spark_unauth_rce.rb index 3506491a485df..c4e623777c8d2 100644 --- a/modules/exploits/linux/http/spark_unauth_rce.rb +++ b/modules/exploits/linux/http/spark_unauth_rce.rb @@ -62,7 +62,7 @@ def primer path = service.resources.keys[0] binding_ip = srvhost_addr - proto = datastore['SSL'] ? 'https' : 'http' + proto = datastore['SRVSSL'] ? 'https' : 'http' payload_uri = "#{proto}://#{binding_ip}:#{datastore['SRVPORT']}/#{path}" send_payload(payload_uri) diff --git a/modules/exploits/linux/http/vestacp_exec.rb b/modules/exploits/linux/http/vestacp_exec.rb index b65e2bbd73ffe..251362b00c405 100644 --- a/modules/exploits/linux/http/vestacp_exec.rb +++ b/modules/exploits/linux/http/vestacp_exec.rb @@ -205,9 +205,9 @@ def payload_implant p = "perl${IFS}-e${IFS}'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'" # Yet another datastore variable overriding. - if datastore['SSL'] + if datastore['SRVSSL'] ssl_restore = true - datastore['SSL'] = false + datastore['SRVSSL'] = false end port_restore = datastore['RPORT'] datastore['RPORT'] = 21 @@ -234,7 +234,7 @@ def payload_implant # Revert datastore variables. datastore['RPORT'] = port_restore - datastore['SSL'] = true if ssl_restore + datastore['SRVSSL'] = true if ssl_restore end def exploit @@ -259,7 +259,7 @@ def start_http_server end, 'Path' => resource_uri }, - 'ssl' => false # do not use SSL + 'Ssl' => false }) print_status("Second payload download URI is #{get_uri}") # We need to use instance variables since get_uri keeps using diff --git a/modules/exploits/linux/smtp/exim4_dovecot_exec.rb b/modules/exploits/linux/smtp/exim4_dovecot_exec.rb index 46d2f7d037d19..9d44de3f102c1 100644 --- a/modules/exploits/linux/smtp/exim4_dovecot_exec.rb +++ b/modules/exploits/linux/smtp/exim4_dovecot_exec.rb @@ -135,7 +135,7 @@ def exploit }, 'Path' => resource_uri }, - 'ssl' => false # do not use SSL + 'Ssl' => false }) end diff --git a/modules/exploits/multi/http/bassmaster_js_injection.rb b/modules/exploits/multi/http/bassmaster_js_injection.rb index 47828f6b42960..ac883fd12ff0c 100644 --- a/modules/exploits/multi/http/bassmaster_js_injection.rb +++ b/modules/exploits/multi/http/bassmaster_js_injection.rb @@ -158,7 +158,7 @@ def start_http_server }, 'Path' => resource_uri }, - 'ssl' => false # do not use SSL + 'Ssl' => false }) connect diff --git a/modules/exploits/multi/http/jenkins_metaprogramming.rb b/modules/exploits/multi/http/jenkins_metaprogramming.rb index d5c74b3a66aa0..a9fe493b0bbcf 100644 --- a/modules/exploits/multi/http/jenkins_metaprogramming.rb +++ b/modules/exploits/multi/http/jenkins_metaprogramming.rb @@ -145,11 +145,8 @@ def exploit vars_get = { 'sandbox' => true }.merge(vars_get) when :java_dropper # NOTE: Ivy is using HTTP unconditionally, so we can't use HTTPS - # HACK: Both HttpClient and HttpServer use datastore['SSL'] - ssl = datastore['SSL'] - datastore['SSL'] = false - start_service('Path' => '/') - datastore['SSL'] = ssl + # HttpClient uses SSL, HttpServer uses SRVSSL + start_service('Path' => '/', 'Ssl' => false) end print_status('Sending Jenkins and Groovy go-go-gadgets') diff --git a/modules/exploits/multi/http/log4shell_header_injection.rb b/modules/exploits/multi/http/log4shell_header_injection.rb index d372bde1ba9f4..87fcc459c2806 100644 --- a/modules/exploits/multi/http/log4shell_header_injection.rb +++ b/modules/exploits/multi/http/log4shell_header_injection.rb @@ -112,7 +112,7 @@ def check_options end def resource_url_string - "http#{datastore['SSL'] ? 's' : ''}://#{datastore['SRVHOST']}:#{datastore['HTTP_SRVPORT']}#{resource_uri}" + "http#{datastore['SRVSSL'] ? 's' : ''}://#{datastore['SRVHOST']}:#{datastore['HTTP_SRVPORT']}#{resource_uri}" end # @@ -261,7 +261,7 @@ def start_http_service(opts = {}) Rex::Proto::Http::Server, (opts['ServerPort'] || bindport).to_i, opts['ServerHost'] || bindhost, - datastore['SSL'], + datastore['SRVSSL'], { 'Msf' => framework, 'MsfExploit' => self @@ -279,7 +279,7 @@ def start_http_service(opts = {}) 'Proc' => method(:on_request_uri), 'Path' => resource_uri }.update(opts['Uri'] || {}) - proto = (datastore['SSL'] ? 'https' : 'http') + proto = (datastore['SRVSSL'] ? 'https' : 'http') netloc = opts['ServerHost'] || bindhost http_srvport = (opts['ServerPort'] || bindport).to_i diff --git a/modules/exploits/multi/http/monsta_ftp_downloadfile_rce.rb b/modules/exploits/multi/http/monsta_ftp_downloadfile_rce.rb index 63c6c7aeff135..8e8230610843b 100644 --- a/modules/exploits/multi/http/monsta_ftp_downloadfile_rce.rb +++ b/modules/exploits/multi/http/monsta_ftp_downloadfile_rce.rb @@ -141,7 +141,7 @@ def start_ftp_service(credentials) } send_ftp_response(cli, 220, 'FTP Server Ready') end - start_service({ SSL: false }) + start_service end def handle_ftp_command(_cli, cmd, arg = nil) diff --git a/modules/exploits/multi/http/mutiny_subnetmask_exec.rb b/modules/exploits/multi/http/mutiny_subnetmask_exec.rb index e2b40d381d05b..4456e9f540a33 100644 --- a/modules/exploits/multi/http/mutiny_subnetmask_exec.rb +++ b/modules/exploits/multi/http/mutiny_subnetmask_exec.rb @@ -132,7 +132,7 @@ def start_web_service }, 'Path' => resource_uri }, - 'ssl' => false # do not use SSL + 'Ssl' => false }) return service_url diff --git a/modules/exploits/multi/http/rails_dynamic_render_code_exec.rb b/modules/exploits/multi/http/rails_dynamic_render_code_exec.rb index 61d402700cb8d..d89a23ae063b9 100644 --- a/modules/exploits/multi/http/rails_dynamic_render_code_exec.rb +++ b/modules/exploits/multi/http/rails_dynamic_render_code_exec.rb @@ -177,7 +177,7 @@ def start_http_server }, 'Path' => resource_uri }, - 'ssl' => false # do not use SSL + 'Ssl' => false }) connect diff --git a/modules/exploits/multi/http/struts_default_action_mapper.rb b/modules/exploits/multi/http/struts_default_action_mapper.rb index b205b91c0209e..b15831b62e875 100644 --- a/modules/exploits/multi/http/struts_default_action_mapper.rb +++ b/modules/exploits/multi/http/struts_default_action_mapper.rb @@ -135,7 +135,7 @@ def start_http_service }, 'Path' => '/' }, - 'ssl' => false # do not use SSL + 'Ssl' => false }) return service_url diff --git a/modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb b/modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb index e63a90660deb4..be1d5605da967 100644 --- a/modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb +++ b/modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb @@ -174,7 +174,7 @@ def start_http_server }, 'Path' => resource_uri }, - 'ssl' => false # do not use SSL + 'Ssl' => false }) connect diff --git a/modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb b/modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb index bb200c4d4448d..66090efb19af6 100644 --- a/modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb +++ b/modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb @@ -537,7 +537,7 @@ def exploit end, 'Path' => '/' }, - 'ssl' => false # do not use SSL + 'Ssl' => false } ) diff --git a/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb b/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb index 8da9c890b669d..eec949cabc8f7 100644 --- a/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb +++ b/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb @@ -237,7 +237,7 @@ def exploit_linux }, 'Path' => resource_uri }, - 'ssl' => false # do not use SSL + 'Ssl' => false }) end diff --git a/modules/exploits/osx/browser/safari_file_policy.rb b/modules/exploits/osx/browser/safari_file_policy.rb index a17faebb2631c..1519692049b96 100644 --- a/modules/exploits/osx/browser/safari_file_policy.rb +++ b/modules/exploits/osx/browser/safari_file_policy.rb @@ -186,7 +186,7 @@ def start_http(opts = {}) Rex::Proto::Http::Server, opts['ServerPort'].to_i, opts['ServerHost'], - datastore['SSL'], + datastore['SRVSSL'], { 'Msf' => framework, 'MsfExploit' => self, @@ -206,7 +206,7 @@ def start_http(opts = {}) 'Path' => resource_uri }.update(opts['Uri'] || {}) - proto = (datastore["SSL"] ? "https" : "http") + proto = (datastore["SRVSSL"] ? "https" : "http") print_status("Using URL: #{proto}://#{opts['ServerHost']}:#{opts['ServerPort']}#{uopts['Path']}") if (opts['ServerHost'] == '0.0.0.0') diff --git a/modules/exploits/windows/browser/adobe_flashplayer_arrayindexing.rb b/modules/exploits/windows/browser/adobe_flashplayer_arrayindexing.rb index 1c54b0a604d2d..10b05898d5c50 100644 --- a/modules/exploits/windows/browser/adobe_flashplayer_arrayindexing.rb +++ b/modules/exploits/windows/browser/adobe_flashplayer_arrayindexing.rb @@ -117,7 +117,7 @@ def on_request_uri(cli, request) shellcode << (xor_byte ^ c) end - uri = ((datastore['SSL']) ? "https://" : "http://") + uri = ((datastore['SRVSSL']) ? "https://" : "http://") uri << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST']) uri << ":#{datastore['SRVPORT']}#{get_resource()}/#{code}" diff --git a/modules/exploits/windows/browser/apple_quicktime_mime_type.rb b/modules/exploits/windows/browser/apple_quicktime_mime_type.rb index 2357cd46ea0b7..673b42a8f7799 100644 --- a/modules/exploits/windows/browser/apple_quicktime_mime_type.rb +++ b/modules/exploits/windows/browser/apple_quicktime_mime_type.rb @@ -147,7 +147,7 @@ def on_request_uri(client, request) send_response(client, smil, { 'Content-Type' => "#{type}/#{subtype}" }) else print_status("Sending initial HTML") - url = ((datastore['SSL']) ? "https://" : "http://") + url = ((datastore['SRVSSL']) ? "https://" : "http://") url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST']) url << ":" + datastore['SRVPORT'].to_s url << get_resource diff --git a/modules/exploits/windows/browser/apple_quicktime_rtsp.rb b/modules/exploits/windows/browser/apple_quicktime_rtsp.rb index 8f92f6902f9dd..7ee02d45ff09a 100644 --- a/modules/exploits/windows/browser/apple_quicktime_rtsp.rb +++ b/modules/exploits/windows/browser/apple_quicktime_rtsp.rb @@ -97,7 +97,7 @@ def on_request_uri(client, request) print_status("Sending init HTML") shellcode = Rex::Text.to_unescape(p.encoded) - url = ((datastore['SSL']) ? "https://" : "http://") + url = ((datastore['SRVSSL']) ? "https://" : "http://") url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST']) url << ":" + datastore['SRVPORT'].to_s url << get_resource diff --git a/modules/exploits/windows/browser/apple_quicktime_smil_debug.rb b/modules/exploits/windows/browser/apple_quicktime_smil_debug.rb index 373a6f64aeefd..028104dd1488f 100644 --- a/modules/exploits/windows/browser/apple_quicktime_smil_debug.rb +++ b/modules/exploits/windows/browser/apple_quicktime_smil_debug.rb @@ -116,7 +116,7 @@ def on_request_uri(client, request) print_status("Sending initial HTML") shellcode = Rex::Text.to_unescape(p.encoded) - url = ((datastore['SSL']) ? "https://" : "http://") + url = ((datastore['SRVSSL']) ? "https://" : "http://") url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST']) url << ":" + datastore['SRVPORT'].to_s url << get_resource diff --git a/modules/exploits/windows/browser/apple_quicktime_texml_font_table.rb b/modules/exploits/windows/browser/apple_quicktime_texml_font_table.rb index e9d585cc5937a..6825c1b428e0b 100644 --- a/modules/exploits/windows/browser/apple_quicktime_texml_font_table.rb +++ b/modules/exploits/windows/browser/apple_quicktime_texml_font_table.rb @@ -181,7 +181,7 @@ def on_request_uri(client, request) else print_status("Sending initial HTML") - url = ((datastore['SSL']) ? "https://" : "http://") + url = ((datastore['SRVSSL']) ? "https://" : "http://") url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST']) url << ":" + datastore['SRVPORT'].to_s url << get_resource diff --git a/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb b/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb index 174a4b812e6e7..b8ed8902ed0b5 100644 --- a/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb +++ b/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb @@ -171,7 +171,7 @@ def on_request_uri(cli, request) resp.body = "" my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] - if datastore['SSL'] + if datastore['SRVSSL'] schema = "https" else schema = "http" diff --git a/modules/exploits/windows/browser/honeywell_hscremotedeploy_exec.rb b/modules/exploits/windows/browser/honeywell_hscremotedeploy_exec.rb index 13330879daada..35cfc042a10ef 100644 --- a/modules/exploits/windows/browser/honeywell_hscremotedeploy_exec.rb +++ b/modules/exploits/windows/browser/honeywell_hscremotedeploy_exec.rb @@ -184,7 +184,7 @@ def on_request_uri(cli, request) return end - uri = ((datastore['SSL']) ? "https://" : "http://") + uri = ((datastore['SRVSSL']) ? "https://" : "http://") uri << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']) uri << ":#{datastore['SRVPORT']}" diff --git a/modules/exploits/windows/browser/msvidctl_mpeg2.rb b/modules/exploits/windows/browser/msvidctl_mpeg2.rb index 41400a5fcf24d..8e5308d922c5f 100644 --- a/modules/exploits/windows/browser/msvidctl_mpeg2.rb +++ b/modules/exploits/windows/browser/msvidctl_mpeg2.rb @@ -198,7 +198,7 @@ def on_request_uri(cli, request) j_counter = rand_text_alpha(rand(30) + 2) host = get_srvhost + ":" + (datastore["SRVPORT"].to_s) - gif_uri = "http#{(datastore['SSL'] ? 's' : '')}://#{host}" + gif_uri = "http#{(datastore['SRVSSL'] ? 's' : '')}://#{host}" if ("/" == get_resource[-1, 1]) gif_uri << get_resource[0, get_resource.length - 1] else diff --git a/modules/exploits/windows/browser/notes_handler_cmdinject.rb b/modules/exploits/windows/browser/notes_handler_cmdinject.rb index 217e4e95fb06b..ee45332207211 100644 --- a/modules/exploits/windows/browser/notes_handler_cmdinject.rb +++ b/modules/exploits/windows/browser/notes_handler_cmdinject.rb @@ -117,7 +117,7 @@ def on_request_uri(cli, request) end my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] - if datastore['SSL'] + if datastore['SRVSSL'] schema = "https" else schema = "http" diff --git a/modules/exploits/windows/fileformat/office_word_hta.rb b/modules/exploits/windows/fileformat/office_word_hta.rb index 9f4e288935de2..eaa227c368c62 100644 --- a/modules/exploits/windows/fileformat/office_word_hta.rb +++ b/modules/exploits/windows/fileformat/office_word_hta.rb @@ -78,7 +78,7 @@ def generate_uri uri_maxlength = 112 host = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST'] - scheme = datastore['SSL'] ? 'https' : 'http' + scheme = datastore['SRVSSL'] ? 'https' : 'http' uri = "#{scheme}://#{host}:#{datastore['SRVPORT']}#{'/' + Rex::FileUtils.normalize_unix_path(datastore['URIPATH'])}" uri = Rex::Text.hexify(Rex::Text.to_unicode(uri)) diff --git a/modules/exploits/windows/fileformat/word_msdtjs_rce.rb b/modules/exploits/windows/fileformat/word_msdtjs_rce.rb index a212f5e3341df..f9c2886760bab 100644 --- a/modules/exploits/windows/fileformat/word_msdtjs_rce.rb +++ b/modules/exploits/windows/fileformat/word_msdtjs_rce.rb @@ -218,7 +218,7 @@ def build_docx end def primer - @proto = (datastore['SSL'] ? 'https' : 'http') + @proto = (datastore['SRVSSL'] ? 'https' : 'http') if datastore['OUTPUT_FORMAT'] == 'rtf' build_rtf diff --git a/modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb b/modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb index f36da810c0584..dd55f25a4d899 100644 --- a/modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb +++ b/modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb @@ -424,7 +424,7 @@ def serve_http_file(path, respond_with = '') end, 'Path' => path }, - 'ssl' => false # do not use SSL + 'Ssl' => false }) end diff --git a/modules/exploits/windows/misc/webdav_delivery.rb b/modules/exploits/windows/misc/webdav_delivery.rb index 73686aab7677d..d2421dcede87b 100644 --- a/modules/exploits/windows/misc/webdav_delivery.rb +++ b/modules/exploits/windows/misc/webdav_delivery.rb @@ -54,7 +54,7 @@ def primer end print_status('Run the following command on the target machine:') webdav = '' - if datastore['SSL'] + if datastore['SRVSSL'] if datastore['SRVPORT'] != 443 fail_with(Failure::BadConfig, 'SRVPORT must be 443') end diff --git a/modules/exploits/windows/novell/netiq_pum_eval.rb b/modules/exploits/windows/novell/netiq_pum_eval.rb index 9880aa9c3fdca..f6b6c3537cbbd 100644 --- a/modules/exploits/windows/novell/netiq_pum_eval.rb +++ b/modules/exploits/windows/novell/netiq_pum_eval.rb @@ -191,7 +191,6 @@ def exploit exename = Rex::Text.rand_text_alpha(1 + rand(2)) print_status("Setting up the Web Service...") - datastore['SSL'] = false resource_uri = '/' + exename + '.exe' service_url = "http://#{lookup_lhost}:#{datastore['SRVPORT']}#{resource_uri}" print_status("Starting up our web service on #{service_url} ...") @@ -201,9 +200,9 @@ def exploit on_request_uri(cli, req) }, 'Path' => resource_uri - } + }, + 'Ssl' => false }) - datastore['SSL'] = true # http://scriptjunkie1.wordpress.com/2010/09/27/command-stagers-in-windows/ vbs_stage = Rex::Text.rand_text_alpha(3 + rand(5)) diff --git a/modules/exploits/windows/nuuo/nuuo_cms_sqli.rb b/modules/exploits/windows/nuuo/nuuo_cms_sqli.rb index 1abef1cf4e83e..0127b6b4ca29d 100644 --- a/modules/exploits/windows/nuuo/nuuo_cms_sqli.rb +++ b/modules/exploits/windows/nuuo/nuuo_cms_sqli.rb @@ -121,13 +121,13 @@ def exploit @pl = generate_payload_exe # do not use SSL - ssl = datastore['SSL'] - datastore['SSL'] = false + ssl = datastore['SRVSSL'] + datastore['SRVSSL'] = false begin Timeout.timeout(datastore['HTTPDELAY']) { super } rescue Timeout::Error - datastore['SSL'] = ssl + datastore['SRVSSL'] = ssl end end end diff --git a/tools/dev/msftidy_docs.rb b/tools/dev/msftidy_docs.rb index e27e51d1b67c2..10ec23af9518a 100755 --- a/tools/dev/msftidy_docs.rb +++ b/tools/dev/msftidy_docs.rb @@ -245,8 +245,8 @@ def line_checks end # this will catch either bold or h2/3 universal options. Defaults aren't needed since they're not unique to this exploit - if in_options && ln =~ /^\s*[\*#]{2,3}\s*(rhost|rhosts|rport|lport|lhost|srvhost|srvport|ssl|uripath|session|proxies|payload|targeturi)\*{0,2}$/i - warn('Universal options such as rhost(s), rport, lport, lhost, srvhost, srvport, ssl, uripath, session, proxies, payload, targeturi can be removed.', idx) + if in_options && ln =~ /^\s*[\*#]{2,3}\s*(rhost|rhosts|rport|lport|lhost|srvhost|srvport|srvssl|ssl|uripath|session|proxies|payload|targeturi)\*{0,2}$/i + warn('Universal options such as rhost(s), rport, lport, lhost, srvhost, srvport, srvssl, ssl, uripath, session, proxies, payload, targeturi can be removed.', idx) end # find spaces at EOL not in a code block which is ``` or starts with four spaces if !in_codeblock && ln =~ /[ \t]$/ && !(ln =~ /^ /) From 40991ae6fd57a49538826957ef5c438ee32b967c Mon Sep 17 00:00:00 2001 From: Valentin Lobstein Date: Fri, 28 Nov 2025 23:57:34 +0100 Subject: [PATCH 2/2] Fix Rubocop offenses in word_mshtml_rce.rb --- modules/exploits/windows/fileformat/word_mshtml_rce.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/exploits/windows/fileformat/word_mshtml_rce.rb b/modules/exploits/windows/fileformat/word_mshtml_rce.rb index 15663fd7e1abc..6578f43405b65 100644 --- a/modules/exploits/windows/fileformat/word_mshtml_rce.rb +++ b/modules/exploits/windows/fileformat/word_mshtml_rce.rb @@ -29,8 +29,8 @@ def initialize(info = {}) ['URL', 'https://github.com/klezVirus/CVE-2021-40444'] ], 'Author' => [ - 'lockedbyte ', # Vulnerability discovery. - 'klezVirus ', # References and PoC. + 'lockedbyte', # Vulnerability discovery. + 'klezVirus', # References and PoC. 'thesunRider', # Official Metasploit module. 'mekhalleh (RAMELLA Sébastien)' # Zeop-CyberSecurity - code base contribution and refactoring. ], @@ -68,7 +68,7 @@ def initialize(info = {}) end def bin_to_hex(bstr) - return(bstr.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join) + return (bstr.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join) end def cab_checksum(data, seed = "\x00\x00\x00\x00") @@ -321,7 +321,7 @@ def unpack_docx(template_path) def primer print_status('CVE-2021-40444: Generate a malicious docx file') - @proto = (datastore['SSL'] ? 'https' : 'http') + @proto = (datastore['SRVSSL'] ? 'https' : 'http') if datastore['SRVHOST'] == '0.0.0.0' datastore['SRVHOST'] = Rex::Socket.source_address end