File solarwinds_orion_dump.rb
has 526 lines of code (exceeds 250 allowed). Consider refactoring. Open
require 'metasploit/framework/credential_collection'
class MetasploitModule < Msf::Post
include Msf::Post::Common
include Msf::Post::File
Method orion_secret_decrypt
has a Cognitive Complexity of 25 (exceeds 5 allowed). Consider refactoring. Open
def orion_secret_decrypt(ciphertext)
if ciphertext.start_with?('<') # This is XMLSEC
unless @orion_rsa_key
print_warning('RSA key unavailable, cannot decrypt XMLSEC ciphertext')
vprint_warning("Ciphertext: #{ciphertext}")
- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Method decrypt_orion_db
has a Cognitive Complexity of 23 (exceeds 5 allowed). Consider refactoring. Open
def decrypt_orion_db(csv_dataset)
fail_with(Msf::Exploit::Failure::Unknown, 'Dataset contains no column values') unless csv_dataset
current_row = 0
decrypted_rows = 0
- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Method decrypt_orion_db
has 71 lines of code (exceeds 25 allowed). Consider refactoring. Open
def decrypt_orion_db(csv_dataset)
fail_with(Msf::Exploit::Failure::Unknown, 'Dataset contains no column values') unless csv_dataset
current_row = 0
decrypted_rows = 0
Method get_orion_certificate
has a Cognitive Complexity of 19 (exceeds 5 allowed). Consider refactoring. Open
def get_orion_certificate
print_status('Extract SolarWinds Orion SSL Certificate Private Key ...')
if datastore['RSA_KEY_FILE']
return nil unless ::File.file?(datastore['RSA_KEY_FILE'])
- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Method initialize
has 64 lines of code (exceeds 25 allowed). Consider refactoring. Open
def initialize(info = {})
super(
update_info(
info,
'Name' => 'SolarWinds Orion Secrets Dump',
Class MetasploitModule
has 22 methods (exceeds 20 allowed). Consider refactoring. Open
class MetasploitModule < Msf::Post
include Msf::Post::Common
include Msf::Post::File
include Msf::Post::Windows::MSSQL
include Msf::Post::Windows::Powershell
Method init_orion_db
has 58 lines of code (exceeds 25 allowed). Consider refactoring. Open
def init_orion_db(orion_path)
if datastore['MSSQL_INSTANCE'] && datastore['MSSQL_DB']
print_status('MSSQL_INSTANCE and MSSQL_DB advanced options set, connect to SQL using SSPI')
db_instance_path = datastore['MSSQL_INSTANCE']
db_name = datastore['MSSQL_DB']
Method init_orion_db
has a Cognitive Complexity of 15 (exceeds 5 allowed). Consider refactoring. Open
def init_orion_db(orion_path)
if datastore['MSSQL_INSTANCE'] && datastore['MSSQL_DB']
print_status('MSSQL_INSTANCE and MSSQL_DB advanced options set, connect to SQL using SSPI')
db_instance_path = datastore['MSSQL_INSTANCE']
db_name = datastore['MSSQL_DB']
- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Method orion_secret_decrypt
has 46 lines of code (exceeds 25 allowed). Consider refactoring. Open
def orion_secret_decrypt(ciphertext)
if ciphertext.start_with?('<') # This is XMLSEC
unless @orion_rsa_key
print_warning('RSA key unavailable, cannot decrypt XMLSEC ciphertext')
vprint_warning("Ciphertext: #{ciphertext}")
Method get_orion_certificate
has 38 lines of code (exceeds 25 allowed). Consider refactoring. Open
def get_orion_certificate
print_status('Extract SolarWinds Orion SSL Certificate Private Key ...')
if datastore['RSA_KEY_FILE']
return nil unless ::File.file?(datastore['RSA_KEY_FILE'])
Method init_orion_encryption
has a Cognitive Complexity of 11 (exceeds 5 allowed). Consider refactoring. Open
def init_orion_encryption
print_status('Init SolarWinds Crypto ...')
if datastore['AES_KEY']
unless datastore['AES_KEY'].match?(/^[0-9a-f]+$/i) && datastore['AES_KEY'].length == 64
fail_with(Msf::Exploit::Failure::BadConfig, 'Provided AES key is not valid 256-bit / 64-byte hexidecimal data')
- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Method read_csv_file
has a Cognitive Complexity of 10 (exceeds 5 allowed). Consider refactoring. Open
def read_csv_file(file_name)
fail_with(Msf::Exploit::Failure::NoTarget, "CSV file #{file_name} not found") unless ::File.file?(file_name)
csv_rows = ::File.binread(file_name)
csv = ::CSV.parse(
- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Method run
has a Cognitive Complexity of 10 (exceeds 5 allowed). Consider refactoring. Open
def run
init_module
current_action = action.name.downcase
if current_action == 'export' || current_action == 'dump'
print_status('Performing export of SolarWinds Orion SQL database to CSV file')
- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Method init_orion_encryption
has 26 lines of code (exceeds 25 allowed). Consider refactoring. Open
def init_orion_encryption
print_status('Init SolarWinds Crypto ...')
if datastore['AES_KEY']
unless datastore['AES_KEY'].match?(/^[0-9a-f]+$/i) && datastore['AES_KEY'].length == 64
fail_with(Msf::Exploit::Failure::BadConfig, 'Provided AES key is not valid 256-bit / 64-byte hexidecimal data')
Method decrypt
has 26 lines of code (exceeds 25 allowed). Consider refactoring. Open
def decrypt(csv_file)
csv = read_csv_file(csv_file)
total_rows = csv.count
print_good("#{total_rows} rows loaded, #{@orion_total_secrets} unique CredentialIDs")
result = decrypt_orion_db(csv)
Method dpapi_decrypt
has a Cognitive Complexity of 9 (exceeds 5 allowed). Consider refactoring. Open
def dpapi_decrypt(b64, entropy)
unless b64.match?(%r{^[-A-Za-z0-9+/]*={0,3}$})
print_error('DPAPI decrypt: invalid Base64 ciphertext')
return nil
end
- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Avoid too many return
statements within this method. Open
return nil
Avoid too many return
statements within this method. Open
return nil
Method aes_cbc_decrypt
has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring. Open
def aes_cbc_decrypt(ciphertext_bytes, aes_key, aes_iv)
return nil unless aes_iv.length == 16
case aes_key.length
when 16
- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Method init_module
has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring. Open
def init_module
orion_hostname = get_env('COMPUTERNAME')
print_status("Hostname #{orion_hostname} IPv4 #{rhost}")
require_sql = action.name.downcase == 'export' || action.name.downcase == 'dump' # only need to be concerned with SQL if doing these actions
if require_sql
- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Method dump_orion_db
has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring. Open
def dump_orion_db
# CONVERT(VARBINARY()) is an awful hack to get around sqlcmd's equally awful support for CSV output
sql_query = 'SET NOCOUNT ON;SELECT c.ID AS CredentialID,
CONVERT(VARBINARY(1024),c.Name) Name,
CONVERT(VARBINARY(1024),c.Description) Description,
- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Method decrypt
has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring. Open
def decrypt(csv_file)
csv = read_csv_file(csv_file)
total_rows = csv.count
print_good("#{total_rows} rows loaded, #{@orion_total_secrets} unique CredentialIDs")
result = decrypt_orion_db(csv)
- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"