Implement suggested changes

zeroSteiner · Oct 31, 2024 · 5550e07 · 5550e07
1 parent 9f41937
commit 5550e07
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 6 deletions.
diff --git a/lib/rex/proto/ms_nrtp/client.rb b/lib/rex/proto/ms_nrtp/client.rb
@@ -12,6 +12,7 @@ class Rex::Proto::MsNrtp::Client
   attr_reader :port
 
   # @return [String] The server resource component of the URI string.
+  attr_reader :resource
 
   # @return [Boolean] Whether or not SSL is used for the connection.
   attr_reader :ssl
@@ -79,7 +80,7 @@ def recv
         MsNrtpMessage.read(@conn)
       end
     end
-    return nil unless message.operation_type == 2 && message.content_length?
+    return nil unless message.operation_type == Enums::OperationTypeEnum[:Reply] && message.content_length?
 
     remaining -= elapsed_time
     body = ''
@@ -99,8 +100,8 @@ def send(data, content_type)
       content_length: data.length,
       headers: [
         { token: MsNrtpHeader::MsNrtpHeaderUri::TOKEN, header: { uri_value: "tcp://#{Rex::Socket.to_authority(@host, @port)}/#{@resource}" } },
-        { token: 6, header: { content_type_value: content_type } },
-        { token: 0}
+        { token: MsNrtpHeader::MsNrtpHeaderContentType::TOKEN, header: { content_type_value: content_type } },
+        { token: MsNrtpHeader::MsNrtpHeaderEnd::TOKEN }
       ]
     )
     @conn.put(message.to_binary_s + data)

diff --git a/lib/rex/proto/ms_nrtp/enums.rb b/lib/rex/proto/ms_nrtp/enums.rb
@@ -0,0 +1,10 @@
+module Rex::Proto::MsNrtp
+  module Enums
+    OperationTypeEnum = {
+      # see: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrtp/e64b2561-defe-4fb5-865e-ea6706c1253d
+      Request: 0,
+      OneWayRequest: 1,
+      Reply: 2
+    }
+  end
+end
diff --git a/modules/exploits/windows/misc/ivanti_agent_portal_cmdexec.rb b/modules/exploits/windows/misc/ivanti_agent_portal_cmdexec.rb
@@ -51,10 +51,11 @@ def initialize(info = {})
 
   def check
     cwd = execute_command('echo %cd%', 0)
-    CheckCode::Safe unless cwd.to_s =~ /.:\\Windows\\System32/i
-    CheckCode::Vulnerable
+    return CheckCode::Safe('Command execution failed.') unless cwd.to_s =~ /.:\\Windows\\System32/i
+
+    CheckCode::Vulnerable("Command execution test succeeded. Current working directory: #{cwd}")
   rescue Rex::SocketError
-    CheckCode::Safe
+    CheckCode::Safe('MS-NRTP connection failed.')
   end
 
   def exploit